Fix cnf format for MTLS (#4290)

* fix cnf generation * update cnf validation middleware
IdentityServer · Apr 16, 2020 · 6b0bf52 · 6b0bf52
1 parent efac03b
commit 6b0bf52
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/samples/Clients/src/SampleApi/ConfirmationValidationMiddleware.cs b/samples/Clients/src/SampleApi/ConfirmationValidationMiddleware.cs
@@ -2,7 +2,9 @@
 using Microsoft.AspNetCore.Http;
 using Newtonsoft.Json.Linq;
 using System;
+using System.Buffers.Text;
 using System.Security.Claims;
+using System.Security.Cryptography;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication.Certificate;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
@@ -50,13 +52,14 @@ public async Task Invoke(HttpContext ctx)
                         return;
                     }
 
-                    var thumbprint = certResult.Principal.FindFirst(ClaimTypes.Thumbprint).Value;
+                    var certificate = await ctx.Connection.GetClientCertificateAsync();
+                    var thumbprint = Base64UrlTextEncoder.Encode(certificate.GetCertHash(HashAlgorithmName.SHA256));
 
                     var cnf = JObject.Parse(cnfJson);
                     var sha256 = cnf.Value<string>("x5t#S256");
 
                     if (String.IsNullOrWhiteSpace(sha256) ||
-                        !thumbprint.Equals(sha256, StringComparison.OrdinalIgnoreCase))
+                        !thumbprint.Equals(sha256, StringComparison.Ordinal))
                     {
                         await ctx.ChallengeAsync(_options.JwtBearerSchemeName);
                         return;

diff --git a/src/IdentityServer4/src/Extensions/X509CertificateExtensions.cs b/src/IdentityServer4/src/Extensions/X509CertificateExtensions.cs
@@ -1,6 +1,8 @@
 using System.Collections.Generic;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text.Json;
+using IdentityModel;
 
 namespace IdentityServer4.Extensions
 {
@@ -16,9 +18,11 @@ public static class X509CertificateExtensions
         /// <returns></returns>
         public static string CreateThumbprintCnf(this X509Certificate2 certificate)
         {
+            var hash = certificate.GetCertHash(HashAlgorithmName.SHA256);
+
             var values = new Dictionary<string, string>
             {
-                { "x5t#S256", certificate.Thumbprint.ToLowerInvariant() }
+                { "x5t#S256", Base64Url.Encode(hash) }
             };
 
             return JsonSerializer.Serialize(values);