PrivateFunctions/Test-JwtRsaSignature.ps1
function Test-JwtRsaSignature { [CmdletBinding()] [OutputType([bool])] param ( [Parameter(Mandatory=$true,ValueFromPipeline=$false,Position=0)] [ValidateLength(16,131072)][Alias("JWT", "Token")][String]$JsonWebToken, [Parameter(Mandatory=$true,Position=1)][Alias("Certificate", "Cert")] [System.Security.Cryptography.X509Certificates.X509Certificate2]$VerificationCertificate, [Parameter(Position=2,Mandatory=$true)] [ValidateSet("SHA256","SHA384","SHA512")] [String]$HashAlgorithm, [Parameter(Position=3,Mandatory=$false)] [Switch]$VerifyCertificate ) PROCESS { [bool]$sigVerifies = $false [bool]$isValidJwt = Test-JwtStructure -JsonWebToken $JsonWebToken -VerifySignaturePresent if (-not($isValidJwt)) { $decodeExceptionMessage = "Unable to decode JWT." $ArgumentException = New-Object -TypeName ArgumentException -ArgumentList $decodeExceptionMessage Write-Error -Exception $ArgumentException -Category InvalidArgument -ErrorAction Stop } $thumbprint = $VerificationCertificate.Thumbprint if ($PSBoundParameters.ContainsKey($VerifyCertificate)) { if (!($VerificationCertificate.Verify())) { $verificationErrorMessage = "Certificate with thumbprint {0} failed verification. Check certificate chain, expiration, and CRL access." -f $thumbprint Write-Error -Exception ([CryptographicException]::new($verificationErrorMessage)) -Category SecurityError -ErrorAction Stop } } $headerPart = Get-JsonWebTokenHeader -JsonWebToken $JsonWebToken -AsEncodedString $payloadPart = Get-JsonWebTokenPayload -JsonWebToken $JsonWebToken -AsEncodedString $jwtSansSig = "{0}.{1}" -f $headerPart, $payloadPart $publicKey = $VerificationCertificate.PublicKey.Key try { [byte[]]$HeaderAndPayloadBytes = [System.Text.Encoding]::UTF8.GetBytes($jwtSansSig) [byte[]]$Signature = Get-JsonWebTokenSignature -JsonWebToken $JsonWebToken $sigVerifies = $publicKey.VerifyData($HeaderAndPayloadBytes, $Signature, $HashAlgorithm, [RSASignaturePadding]::Pkcs1) } catch { $sigVerifies = $false } return $sigVerifies } } |