Merge pull request #7 from approov/feature/message_signing

Feature/message signing

Author: jexh

.gitignore

@@ -263,4 +263,5 @@ paket-files/
 __pycache__/
 *.pyc
 
-.env
+".env"
+.DS_Store

Dockerfile

@@ -1,4 +1,4 @@
-ARG TAG=6.0
+ARG TAG=8.0
 
 FROM mcr.microsoft.com/dotnet/sdk:${TAG}
 

EXAMPLES.md

@@ -12,34 +12,33 @@ If you are looking for the Approov quickstarts to integrate Approov in your ASP.
 To learn more about each Hello server example you need to read the README for each one at:
 
 * [Unprotected Server](/servers/hello/src/unprotected-server)
-* [Approov Protected Server - Token Check](/servers/hello/src/approov-protected-server/token-check)
-* [Approov Protected Server - Token Binding Check](/servers/hello/src/approov-protected-server/token-binding-check)
+* [Approov Protected Server](/servers/hello/src/approov-protected-server/token-check)
 
+The repository also includes helper scripts in `/test-scripts` that exercise token validation, token binding, message signing, and Structured Field parsing against the protected server.
 
 ## Setup Environment
 
-Do not forget to properly setup the `.env` file in the root of each Approov protected server example before you run the server with the docker stack.
+Do not forget to properly setup the `.env` file in the root of the Approov protected server example before you run the server with the docker stack.
 
 ```bash
 cp servers/hello/src/approov-protected-server/token-check/.env.example servers/hello/src/approov-protected-server/token-check/.env
-cp servers/hello/src/approov-protected-server/token-binding-check/.env.example servers/hello/src/approov-protected-server/token-binding-check/.env
 ```
 
-Edit each file and add the [dummy secret](/TESTING.md#the-dummy-secret) to it in order to be able to test the Approov integration with the provided [Postman collection](https://github.com/approov/postman-collections/blob/master/quickstarts/hello-world/hello-world.postman_curl_requests_examples.md).
+Edit the file and add the [dummy secret](/TESTING.md#the-dummy-secret) to it in order to be able to test the Approov integration with the provided [Postman collection](https://github.com/approov/postman-collections/blob/master/quickstarts/hello-world/hello-world.postman_curl_requests_examples.md). Set `APPROOV_TOKEN_BINDING_HEADER` (for example `Authorization`) and tweak the optional `APPROOV_SIGNATURE_*` variables to explore token binding and message signing policies.
 
 
 ## Docker Stack
 
 The docker stack provided via the `docker-compose.yml` file in this folder is used for development proposes and if you are familiar with docker then feel free to also use it to follow along the examples on the README of each server.
 
-If you decide to use the docker stack then you need to bear in mind that the Postman collections, used to test the servers examples, will connect to port `8002` therefore you cannot start all docker compose services at once, for example with `docker-compose up`, instead you need to run one at a time as exemplified below.
+If you decide to use the docker stack then you need to bear in mind that the Postman collections, used to test the servers examples, will connect to port `8111` therefore you cannot start all docker compose services at once, for example with `docker-compose up`, instead you need to run one at a time as exemplified below.
 
 ### Build the Docker Stack
 
-The three services in the `docker-compose.yml` use the same Dockerfile, therefore to build the Docker image we just need to used one of them:
+The services in the `docker-compose.yml` use the same Dockerfile, therefore to build the Docker image we just need to use one of them:
 
 ```bash
-sudo docker-compose build approov-token-binding-check
+sudo docker-compose build approov-token-check
 ```
 
 Now, you are ready to start using the Docker stack for ASP.Net.
@@ -76,20 +75,6 @@ or get a bash shell inside the container:
 sudo docker-compose run --rm --service-ports approov-token-check zsh
 ```
 
-#### For the Approov Token Binding Check
-
-Run the container attached to the shell:
-
-```bash
-sudo docker-compose up approov-token-binding-check
-```
-
-or get a bash shell inside the container:
-
-```bash
-sudo docker-compose run --rm --service-ports approov-token-binding-check zsh
-```
-
 ## Issues
 
 If you find any issue while following our instructions then just report it [here](https://github.com/approov/quickstart-asp.net-token-check/issues), with the steps to reproduce it, and we will sort it out and/or guide you to the correct path.
@@ -99,7 +84,7 @@ If you find any issue while following our instructions then just report it [here
 
 If you wish to explore the Approov solution in more depth, then why not try one of the following links as a jumping off point:
 
-* [Approov Free Trial](https://approov.io/signup)(no credit card needed)
+* [Approov Free Trial](https://approov.io/signup) (no credit card needed)
 * [Approov Get Started](https://approov.io/product/demo)
 * [Approov QuickStarts](https://approov.io/docs/latest/approov-integration-examples/)
 * [Approov Docs](https://approov.io/docs)

OVERVIEW.md

@@ -33,8 +33,10 @@ The backend server ensures that the token supplied in the `Approov-Token` header
 
 The request is handled such that:
 
-* If the Approov Token is valid, the request is allowed to be processed by the API endpoint
-* If the Approov Token is invalid, an HTTP 401 Unauthorized response is returned
+* If the Approov Token is valid, the request is allowed to be processed by the API endpoint.
+* If the Approov Token is invalid, an HTTP 401 Unauthorized response is returned.
+* Optional [token binding](https://approov.io/docs/latest/approov-usage-documentation/#token-binding) recomputes the binding hash from headers such as `Authorization` and must match the token’s `pay` claim before the request is processed.
+* Optional [message signing](https://approov.io/docs/latest/approov-usage-documentation/#message-signing) reconstructs the canonical HTTP message and validates the signature supplied in the `Signature` / `Signature-Input` headers using the installation public key embedded in the token.
 
 You can choose to log JWT verification failures, but we left it out on purpose so that you can have the choice of how you prefer to do it and decide the right amount of information you want to log.
 
@@ -43,7 +45,7 @@ You can choose to log JWT verification failures, but we left it out on purpose s
 
 If you wish to explore the Approov solution in more depth, then why not try one of the following links as a jumping off point:
 
-* [Approov Free Trial](https://approov.io/signup)(no credit card needed)
+* [Approov Free Trial](https://approov.io/signup) (no credit card needed)
 * [Approov Get Started](https://approov.io/product/demo)
 * [Approov QuickStarts](https://approov.io/docs/latest/approov-integration-examples/)
 * [Approov Docs](https://approov.io/docs)

QUICKSTARTS.md

@@ -1,15 +1,17 @@
 # Approov Integration Quickstarts
 
-[Approov](https://approov.io) is an API security solution used to verify that requests received by your backend services originate from trusted versions of your mobile apps.
+[Approov](https://approov.io) ensures that API traffic reaching your backend originates from trusted versions of your mobile apps. This repository collects the server-side quickstarts for ASP.NET 8 and reuses a single reference implementation at `servers/hello/src/approov-protected-server/token-check`.
 
 
 ## The Quickstarts
 
-The quickstart code for the Approov backend server is split into two implementations. The first gets you up and running with basic token checking. The second uses a more advanced Approov feature, _token binding_. Token binding may be used to link the Approov token with other properties of the request, such as user authentication (more details can be found [here](https://approov.io/docs/latest/approov-usage-documentation/#token-binding)).
-* [Approov token check quickstart](/docs/APPROOV_TOKEN_QUICKSTART.md)
-* [Approov token check with token binding quickstart](/docs/APPROOV_TOKEN_BINDING_QUICKSTART.md)
+Pick the guide that matches the level of protection you want to implement:
 
-Both the quickstarts are built from the unprotected example server defined [here](servers/hello/src/unprotected-server).
+- [Approov token check](docs/APPROOV_TOKEN_QUICKSTART.md) - validate the JWT presented in the `Approov-Token` header.
+- [Approov token binding](docs/APPROOV_TOKEN_BINDING_QUICKSTART.md) - bind tokens to headers such as `Authorization` to prevent replay.
+- [Approov message signing](docs/APPROOV_MESSAGE_SIGNING_QUICKSTART.md) - verify HTTP message signatures using the installation public key (IPK).
+
+Each build upon the previous one, so start with the token quickstart before layering binding or message signing.
 
 
 ## Issues
@@ -21,13 +23,13 @@ If you find any issue while following our instructions then just report it [here
 
 If you wish to explore the Approov solution in more depth, then why not try one of the following links as a jumping off point:
 
-* [Approov Free Trial](https://approov.io/signup)(no credit card needed)
-* [Approov Get Started](https://approov.io/product/demo)
-* [Approov QuickStarts](https://approov.io/docs/latest/approov-integration-examples/)
-* [Approov Docs](https://approov.io/docs)
-* [Approov Blog](https://approov.io/blog/)
-* [Approov Resources](https://approov.io/resource/)
-* [Approov Customer Stories](https://approov.io/customer)
-* [Approov Support](https://approov.io/contact)
-* [About Us](https://approov.io/company)
-* [Contact Us](https://approov.io/contact)
+- [Approov Free Trial](https://approov.io/signup) (no credit card needed)
+- [Approov Get Started](https://approov.io/product/demo)
+- [Approov QuickStarts](https://approov.io/docs/latest/approov-integration-examples/)
+- [Approov Docs](https://approov.io/docs)
+- [Approov Blog](https://approov.io/blog/)
+- [Approov Resources](https://approov.io/resource/)
+- [Approov Customer Stories](https://approov.io/customer)
+- [Approov Support](https://approov.io/contact)
+- [About Us](https://approov.io/company)
+- [Contact Us](https://approov.io/contact)