Add jwks to trustlist

aorzelskiGH · aorzelskiGH · commit c903af110723 · 2025-11-09T18:57:44.000+01:00
diff --git a/examples/TokenX5C/Program.cs b/examples/TokenX5C/Program.cs
diff --git a/src/AasSecurity/GlobalSecurityVariables.cs b/src/AasSecurity/GlobalSecurityVariables.cs
@@ -23,6 +23,8 @@ public static class GlobalSecurityVariables
         internal static List<X509Certificate2> ServerCertificates = new();
         internal static List<string> ServerCertFileNames = new();
         internal static List<string> ServerDomain = new();
+        internal static List<string> ServerJwksUrl = new();
+        internal static List<string> ServerKid = new();
         internal static List<SecurityRight> SecurityRights = new();
         internal static Dictionary<string, string> SecurityUsernamePassword = new();
         internal static Property ConditionSM = null;
diff --git a/src/AasSecurity/SecurityHelper.cs b/src/AasSecurity/SecurityHelper.cs
@@ -80,7 +80,7 @@ private static void ParseSecurityMetamodel()
             domain = "";
             if (GlobalSecurityVariables.ServerCertFileNames != null)
             {
-                for (int i = 0; i < GlobalSecurityVariables.ServerCertFileNames.Count; i++)
+                for (var i = 0; i < GlobalSecurityVariables.ServerCertFileNames.Count; i++)
                 {
                     if (Path.GetFileName(GlobalSecurityVariables.ServerCertFileNames[i]) == serverName + ".cer")
                     {
@@ -92,5 +92,23 @@ private static void ParseSecurityMetamodel()
 
             return null;
         }
+
+        internal static string? FindServerJwksUrl(string kid, out string domain)
+        {
+            domain = "";
+            if (GlobalSecurityVariables.ServerKid != null)
+            {
+                for (var i = 0; i < GlobalSecurityVariables.ServerKid.Count; i++)
+                {
+                    if (GlobalSecurityVariables.ServerKid[i] == kid)
+                    {
+                        domain = GlobalSecurityVariables.ServerDomain[i];
+                        return GlobalSecurityVariables.ServerJwksUrl[i];
+                    }
+                }
+            }
+
+            return null;
+        }
     }
 }
diff --git a/src/AasSecurity/SecurityService.cs b/src/AasSecurity/SecurityService.cs
@@ -11,33 +11,37 @@
 * SPDX-License-Identifier: Apache-2.0
 ********************************************************************************/
 
-using AasSecurity.Models;
-using AasSecurity.Exceptions;
-using AasxServer;
-using AasxServerStandardBib.Logging;
-using AasxServerStandardBib.Services;
-using Extensions;
-using Jose;
-using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Http;
-using Microsoft.Extensions.Logging;
-using Microsoft.IdentityModel.Tokens;
 using System.Collections.Specialized;
+using System.Data;
 using System.IdentityModel.Tokens.Jwt;
+using System.Linq.Dynamic.Core;
+using System.Linq.Expressions;
+using System.Net;
+using System.Net.Http.Headers;
 using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
+using System.Text.Json;
 using System.Web;
-using File = AasCore.Aas3_0.File;
+using AasSecurity.Exceptions;
+using AasSecurity.Models;
+using AasxServer;
+using AasxServerStandardBib.Logging;
+using AasxServerStandardBib.Services;
 using Contracts;
-using System.Linq.Expressions;
+using Extensions;
 using Irony.Parsing;
-using System.Linq.Dynamic.Core;
+using Jose;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
 using Microsoft.IdentityModel.JsonWebTokens;
-using static QRCoder.PayloadGenerator;
-using System.Data;
+using Microsoft.IdentityModel.Tokens;
 using Namotion.Reflection;
+using Newtonsoft.Json.Linq;
+using static QRCoder.PayloadGenerator;
+using File = AasCore.Aas3_0.File;
 
 namespace AasSecurity
 {
@@ -427,7 +431,8 @@ private string HandleBearerToken(string? bearerToken, ref string user, ref bool
                                 .First(c => c.Type == "tid").Value;
 
                             var jwksUrl = $"https://login.microsoftonline.com/{tenantId}/discovery/v2.0/keys";
-                            using var httpClient = new HttpClient();
+                            var clientHandler = new HttpClientHandler { DefaultProxyCredentials = CredentialCache.DefaultCredentials };
+                            using var httpClient = new HttpClient(clientHandler);
                             var jwksJson = httpClient.GetStringAsync(jwksUrl).Result;
                             var jwks = new JsonWebKeySet(jwksJson);
                             var signingKeys = jwks.GetSigningKeys();
@@ -458,6 +463,50 @@ private string HandleBearerToken(string? bearerToken, ref string user, ref bool
                         }
                         else
                         {
+                            if (jwtSecurityToken.Header.TryGetValue("kid", out _))
+                            {
+                                user = "";
+                                var jwksUrl = "";
+                                var kid = jwtSecurityToken.Header["kid"].ToString();
+                                if (kid != null)
+                                {
+                                    jwksUrl = SecurityHelper.FindServerJwksUrl(kid, out domain);
+                                }
+                                if (jwksUrl != "")
+                                {
+                                    var clientHandler = new HttpClientHandler { DefaultProxyCredentials = CredentialCache.DefaultCredentials };
+                                    using var httpClient = new HttpClient(clientHandler);
+                                    var jwksJson = httpClient.GetStringAsync(jwksUrl + "/jwks").Result;
+                                    var jwks = new JsonWebKeySet(jwksJson);
+                                    var signingKeys = jwks.GetSigningKeys();
+
+                                    var tokenHandler = new JwtSecurityTokenHandler();
+                                    var validationParameters = new TokenValidationParameters
+                                    {
+                                        ValidateIssuer = false,
+                                        ValidateAudience = false,
+                                        ValidateLifetime = true,
+                                        ValidateIssuerSigningKey = true,
+                                        IssuerSigningKeys = signingKeys
+                                    };
+
+                                    try
+                                    {
+                                        var principal = tokenHandler.ValidateToken(bearerToken, validationParameters, out var validatedToken);
+
+                                        user = jwtSecurityToken.Claims.First(c => c.Type == "userName").Value;
+                                        if (!string.IsNullOrEmpty(user))
+                                        {
+                                            return "";
+                                        }
+                                        user = "";
+                                    }
+                                    catch (Exception ex)
+                                    {
+                                    }
+                                }
+                            }
+
                             var serverName = jwtSecurityToken.Claims.First(c => c.Type == "serverName").Value;
                             if (!string.IsNullOrEmpty(serverName))
                             {
diff --git a/src/AasSecurity/SecuritySettingsForServerParser.cs b/src/AasSecurity/SecuritySettingsForServerParser.cs
@@ -11,12 +11,13 @@
 * SPDX-License-Identifier: Apache-2.0
 ********************************************************************************/
 
-using AasSecurity.Models;
-using AasxServer;
-using AdminShellNS;
 using System;
 using System.Buffers.Text;
 using System.Security.Cryptography.X509Certificates;
+using AasSecurity.Models;
+using AasxServer;
+using AdminShellNS;
+using IdentityModel;
 
 namespace AasSecurity
 {
@@ -91,6 +92,8 @@ private static void ParseAuthenticationServer(AdminShellPackageEnv env, Submodel
                     var domain = "";
                     var base64 = "";
                     var insideBas64 = false;
+                    var jwks = "";
+                    var kid = "";
                     foreach (var line in lines)
                     {
                         if (line == "" || line.StartsWith("# "))
@@ -104,12 +107,29 @@ private static void ParseAuthenticationServer(AdminShellPackageEnv env, Submodel
                             serverName = split[1];
                             Console.WriteLine(" serverName: " + serverName);
                         }
-                        if (line.Contains("domain: "))
+                        else if (line.Contains("domain: "))
                         {
                             var split = line.Split(": ");
                             domain = split[1];
                             Console.WriteLine("  domain: " + domain);
                         }
+                        else if (line.Contains("jwks: "))
+                        {
+                            var split = line.Split(": ");
+                            jwks = split[1];
+                            Console.WriteLine("  jwks: " + jwks);
+                        }
+                        else if (line.Contains("kid: "))
+                        {
+                            var split = line.Split(": ");
+                            kid = split[1];
+                            Console.WriteLine("  kid: " + kid);
+                            GlobalSecurityVariables.ServerCertificates.Add(null);
+                            GlobalSecurityVariables.ServerCertFileNames.Add("");
+                            GlobalSecurityVariables.ServerDomain.Add(domain);
+                            GlobalSecurityVariables.ServerJwksUrl.Add(jwks);
+                            GlobalSecurityVariables.ServerKid.Add(kid);
+                        }
                         else if (line.Contains("BEGIN CERTIFICATE"))
                         {
                             insideBas64 = true;
@@ -124,6 +144,8 @@ private static void ParseAuthenticationServer(AdminShellPackageEnv env, Submodel
                             GlobalSecurityVariables.ServerCertificates.Add(x509);
                             GlobalSecurityVariables.ServerCertFileNames.Add(serverName + ".cer");
                             GlobalSecurityVariables.ServerDomain.Add(domain);
+                            GlobalSecurityVariables.ServerJwksUrl.Add("");
+                            GlobalSecurityVariables.ServerKid.Add("");
                         }
                         else if (insideBas64)
                         {
diff --git a/src/AasxServerBlazor/Pages/Pcf2.razor b/src/AasxServerBlazor/Pages/Pcf2.razor
@@ -602,9 +602,9 @@
     }
 }
 
-@code {
-
-// void toggle(int clickIndex)
+@code {
+
+    // void toggle(int clickIndex)
     void toggle(CfpNode n)
     {
         if (closedNode.Contains(n.aas.Id))
@@ -642,19 +642,24 @@
         var    idEncoded = Base64UrlEncoder.Encode(sm.Id);
         if (sm.Extensions != null)
         {
-            endpoint = sm.Extensions[ 0 ].Value;
-            var s1 = endpoint.Split("/shells/");
-            if (s1.Length == 2)
-            {
-                var s2 = s1[ 1 ].Split("/submodels/");
-                if (s2.Length == 2)
+            endpoint = sm.Extensions[0].Value;
+            if (endpoint.Contains("/shells/"))
+            {
+                var s1 = endpoint.Split("/shells/");
+                if (s1.Length == 2)
                 {
-                    idEncoded = s2[ 1 ].Replace("/submodel/", "");
-                    ;
-                    endpoint = s1[ 0 ] + "/submodels/" + idEncoded;
+                    var s2 = s1[1].Split("/submodels/");
+                    if (s2.Length == 2)
+                    {
+                        idEncoded = s2[1].Replace("/submodel/", "");
+                        endpoint = s1[0] + "/submodels/" + idEncoded;
+                    }
                 }
+            }
+            else
+            {
+                ;
             }
-            // endpoint = endpoint.Replace("/submodel/", "");
         }
         else
         {
@@ -709,7 +714,7 @@
         if (f.Value != "")
         {
             string[] split = f.Value.Split(new Char[] {'/'});
-            if (split.Length == 2 || (split.Length > 1 && (split[ 1 ].ToLower() == "aasx" || split[ 1 ].ToLower() == "tmp")))
+            if (split.Length == 1 || split.Length == 2 || (split.Length > 1 && (split[1].ToLower() == "aasx" || split[1].ToLower() == "tmp")))
             {
                 split = f.Value.Split(new Char[] {'.'});
                 switch (split.Last().ToLower())
@@ -768,6 +773,10 @@
 
                         break;
                 }
+            }
+            else
+            {
+                ;
             }
         }
 
diff --git a/src/AasxServerDB/EntityFrameworkPersistenceService.cs b/src/AasxServerDB/EntityFrameworkPersistenceService.cs
@@ -398,13 +398,14 @@ public async Task<DbRequestResult> DoDbOperation(DbRequest dbRequest)
                     case DbRequestOp.ReadSubmodelById:
                         found = IsSubmodelPresent(db, securityCondition, aasIdentifier, submodelIdentifier, true, false, out _, out ISubmodel submodel);
 
+                        var aasText = aasIdentifier == null ? "" : $" in Asset Administration Shell with id {aasIdentifier}";
                         if (found)
                         {
-                            scopedLogger.LogDebug($"Submodel with id {submodelIdentifier} in Asset Administration Shell with id {aasIdentifier} found.");
+                            scopedLogger.LogDebug($"Submodel with id {submodelIdentifier}{aasText} found.");
                         }
                         else
                         {
-                            throw new NotFoundException($"Submodel with id {submodelIdentifier} in Asset Administration Shell with id {aasIdentifier} not found.");
+                            throw new NotFoundException($"Submodel with id {submodelIdentifier}{aasText} not found.");
                         }
 
                         if (dbRequest.Context.Params.IsSigned)
@@ -1406,7 +1407,8 @@ private string ReadFileByPath(AasContext db, Dictionary<string, string>? securit
         }
         else
         {
-            throw new NotFoundException($"Submodel with id {submodelIdentifier} in Asset Administration Shell with id {aasIdentifier} not found.");
+            var aasText = aasIdentifier == null ? "" : $" in Asset Administration Shell with id {aasIdentifier}";
+            throw new NotFoundException($"Submodel with id {submodelIdentifier}{aasText} not found.");
         }
     }
 
diff --git a/src/AasxServerDB/Query.cs b/src/AasxServerDB/Query.cs
@@ -2073,7 +2073,7 @@ private static string ChangeINSTRToLIKE(string rawSQL)
             }
             i++;
             // result = result + $"{param[0]} LIKE \'%{paramS[1]}%\' {splitParam[i]}";
-            result += $"{param[0]} LIKE '%' || {paramSNotEmpty} || '%' {splitParam[i]}";
+            result += $"{param[0]} LIKE '%' || '{paramSNotEmpty}' || '%' {splitParam[i]}";
         }
         return result;
     }
diff --git a/src/Contracts/QueryParserJSON.cs b/src/Contracts/QueryParserJSON.cs
@@ -603,7 +603,10 @@ public static string ReplaceField(string mode, string value, string smeValue)
         value = value.Replace("$aas#", "aas.");
         value = value.Replace("$sm#", "sm.");
         value = value.Replace("$sme#", "sme.");
-        value = value.Replace("sm.Id", "sm.Identifier");
+        if (value == "sm.Id")
+        {
+            value = value.Replace("sm.Id", "sm.Identifier");
+        }
         switch (mode)
         {
             case "all":

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ private static void ParseSecurityMetamodel()`
`80`	`80`	`domain = "";`
`81`	`81`	`if (GlobalSecurityVariables.ServerCertFileNames != null)`
`82`	`82`	`{`
`83`		`- for (int i = 0; i < GlobalSecurityVariables.ServerCertFileNames.Count; i++)`
	`83`	`+ for (var i = 0; i < GlobalSecurityVariables.ServerCertFileNames.Count; i++)`
`84`	`84`	`{`
`85`	`85`	`if (Path.GetFileName(GlobalSecurityVariables.ServerCertFileNames[i]) == serverName + ".cer")`
`86`	`86`	`{`
`@@ -92,5 +92,23 @@ private static void ParseSecurityMetamodel()`
`92`	`92`
`93`	`93`	`return null;`
`94`	`94`	`}`
	`95`	`+`
	`96`	`+ internal static string? FindServerJwksUrl(string kid, out string domain)`
	`97`	`+ {`
	`98`	`+ domain = "";`
	`99`	`+ if (GlobalSecurityVariables.ServerKid != null)`
	`100`	`+ {`
	`101`	`+ for (var i = 0; i < GlobalSecurityVariables.ServerKid.Count; i++)`
	`102`	`+ {`
	`103`	`+ if (GlobalSecurityVariables.ServerKid[i] == kid)`
	`104`	`+ {`
	`105`	`+ domain = GlobalSecurityVariables.ServerDomain[i];`
	`106`	`+ return GlobalSecurityVariables.ServerJwksUrl[i];`
	`107`	`+ }`
	`108`	`+ }`
	`109`	`+ }`
	`110`	`+`
	`111`	`+ return null;`
	`112`	`+ }`
`95`	`113`	`}`
`96`	`114`	`}`
Original file line number	Diff line number	Diff line change
`@@ -602,9 +602,9 @@`
`602`	`602`	`}`
`603`	`603`	`}`
`604`	`604`
`605`		`-@code {`
`606`		`-`
`607`		`-// void toggle(int clickIndex)`
	`605`	`+@code {`
	`606`	`+`
	`607`	`+ // void toggle(int clickIndex)`
`608`	`608`	`void toggle(CfpNode n)`
`609`	`609`	`{`
`610`	`610`	`if (closedNode.Contains(n.aas.Id))`
`@@ -642,19 +642,24 @@`
`642`	`642`	`var idEncoded = Base64UrlEncoder.Encode(sm.Id);`
`643`	`643`	`if (sm.Extensions != null)`
`644`	`644`	`{`
`645`		`- endpoint = sm.Extensions[ 0 ].Value;`
`646`		`- var s1 = endpoint.Split("/shells/");`
`647`		`- if (s1.Length == 2)`
`648`		`- {`
`649`		`- var s2 = s1[ 1 ].Split("/submodels/");`
`650`		`- if (s2.Length == 2)`
	`645`	`+ endpoint = sm.Extensions[0].Value;`
	`646`	`+ if (endpoint.Contains("/shells/"))`
	`647`	`+ {`
	`648`	`+ var s1 = endpoint.Split("/shells/");`
	`649`	`+ if (s1.Length == 2)`
`651`	`650`	`{`
`652`		`- idEncoded = s2[ 1 ].Replace("/submodel/", "");`
`653`		`- ;`
`654`		`- endpoint = s1[ 0 ] + "/submodels/" + idEncoded;`
	`651`	`+ var s2 = s1[1].Split("/submodels/");`
	`652`	`+ if (s2.Length == 2)`
	`653`	`+ {`
	`654`	`+ idEncoded = s2[1].Replace("/submodel/", "");`
	`655`	`+ endpoint = s1[0] + "/submodels/" + idEncoded;`
	`656`	`+ }`
`655`	`657`	`}`
	`658`	`+ }`
	`659`	`+ else`
	`660`	`+ {`
	`661`	`+ ;`
`656`	`662`	`}`
`657`		`- // endpoint = endpoint.Replace("/submodel/", "");`
`658`	`663`	`}`
`659`	`664`	`else`
`660`	`665`	`{`
`@@ -709,7 +714,7 @@`
`709`	`714`	`if (f.Value != "")`
`710`	`715`	`{`
`711`	`716`	`string[] split = f.Value.Split(new Char[] {'/'});`
`712`		`- if (split.Length == 2 \|\| (split.Length > 1 && (split[ 1 ].ToLower() == "aasx" \|\| split[ 1 ].ToLower() == "tmp")))`
	`717`	`+ if (split.Length == 1 \|\| split.Length == 2 \|\| (split.Length > 1 && (split[1].ToLower() == "aasx" \|\| split[1].ToLower() == "tmp")))`
`713`	`718`	`{`
`714`	`719`	`split = f.Value.Split(new Char[] {'.'});`
`715`	`720`	`switch (split.Last().ToLower())`
`@@ -768,6 +773,10 @@`
`768`	`773`
`769`	`774`	`break;`
`770`	`775`	`}`
	`776`	`+ }`
	`777`	`+ else`
	`778`	`+ {`
	`779`	`+ ;`
`771`	`780`	`}`
`772`	`781`	`}`
`773`	`782`
Original file line number	Diff line number	Diff line change
`@@ -398,13 +398,14 @@ public async Task<DbRequestResult> DoDbOperation(DbRequest dbRequest)`
`398`	`398`	`case DbRequestOp.ReadSubmodelById:`
`399`	`399`	`found = IsSubmodelPresent(db, securityCondition, aasIdentifier, submodelIdentifier, true, false, out _, out ISubmodel submodel);`
`400`	`400`
	`401`	`+ var aasText = aasIdentifier == null ? "" : $" in Asset Administration Shell with id {aasIdentifier}";`
`401`	`402`	`if (found)`
`402`	`403`	`{`
`403`		`- scopedLogger.LogDebug($"Submodel with id {submodelIdentifier} in Asset Administration Shell with id {aasIdentifier} found.");`
	`404`	`+ scopedLogger.LogDebug($"Submodel with id {submodelIdentifier}{aasText} found.");`
`404`	`405`	`}`
`405`	`406`	`else`
`406`	`407`	`{`
`407`		`- throw new NotFoundException($"Submodel with id {submodelIdentifier} in Asset Administration Shell with id {aasIdentifier} not found.");`
	`408`	`+ throw new NotFoundException($"Submodel with id {submodelIdentifier}{aasText} not found.");`
`408`	`409`	`}`
`409`	`410`
`410`	`411`	`if (dbRequest.Context.Params.IsSigned)`
`@@ -1406,7 +1407,8 @@ private string ReadFileByPath(AasContext db, Dictionary<string, string>? securit`
`1406`	`1407`	`}`
`1407`	`1408`	`else`
`1408`	`1409`	`{`
`1409`		`- throw new NotFoundException($"Submodel with id {submodelIdentifier} in Asset Administration Shell with id {aasIdentifier} not found.");`
	`1410`	`+ var aasText = aasIdentifier == null ? "" : $" in Asset Administration Shell with id {aasIdentifier}";`
	`1411`	`+ throw new NotFoundException($"Submodel with id {submodelIdentifier}{aasText} not found.");`
`1410`	`1412`	`}`
`1411`	`1413`	`}`
`1412`	`1414`
Original file line number	Diff line number	Diff line change
`@@ -2073,7 +2073,7 @@ private static string ChangeINSTRToLIKE(string rawSQL)`
`2073`	`2073`	`}`
`2074`	`2074`	`i++;`
`2075`	`2075`	`// result = result + $"{param[0]} LIKE \'%{paramS[1]}%\' {splitParam[i]}";`
`2076`		`- result += $"{param[0]} LIKE '%' \|\| {paramSNotEmpty} \|\| '%' {splitParam[i]}";`
	`2076`	`+ result += $"{param[0]} LIKE '%' \|\| '{paramSNotEmpty}' \|\| '%' {splitParam[i]}";`
`2077`	`2077`	`}`
`2078`	`2078`	`return result;`
`2079`	`2079`	`}`