public async Task <SecurityKeyWithAlgorithm> GetSigningSecurityKey()
{
var secret = await _outbackDbContext.Secrets.SingleOrDefaultAsync(m => m.ActiveSigningKey == true);
switch (secret.PublicKeyCryptographyType)
{
case PublicKeyCryptographyType.EC_NistP256:
var storedParameters = JsonSerializer.Deserialize <CryptographyParameters>(secret.CryptographyData);
var ecParameters = new ECParameters
{
Curve = ECCurve.NamedCurves.nistP256,
D = Base64UrlEncoder.DecodeBytes(storedParameters.EncodedD),
Q = new ECPoint
{
X = Base64UrlEncoder.DecodeBytes(storedParameters.EncodedX),
Y = Base64UrlEncoder.DecodeBytes(storedParameters.EncodedY)
}
};
var ecdsa = ECDsa.Create();
ecdsa.ImportParameters(ecParameters);
var ecdSaKey = new ECDsaSecurityKey(ecdsa)
{
KeyId = storedParameters.KeyId
};
return(new SecurityKeyWithAlgorithm(JsonWebKeyConverter.ConvertFromECDsaSecurityKey(ecdSaKey), SecurityAlgorithms.EcdsaSha256));
default:
throw new Exception($"{secret.PublicKeyCryptographyType} is not supported");
}
}
public static GeneratedJwtKey Create()
{
Guid subjectId = Guid.NewGuid();
string subjectStr = subjectId.ToString("D");
ECDsa dsa = ECDsa.Create();
dsa.GenerateKey(ECCurve.NamedCurves.nistP384);
ECDsaSecurityKey secKey = new ECDsaSecurityKey(dsa);
SigningCredentials signingCreds = new SigningCredentials(secKey, SecurityAlgorithms.EcdsaSha384);
JwtHeader newHeader = new JwtHeader(signingCreds, null, JwtConstants.HeaderType);
Claim audClaim = new Claim(AuthConstants.ClaimAudienceStr, AuthConstants.ApiKeyJwtAudience);
Claim issClaim = new Claim(AuthConstants.ClaimIssuerStr, AuthConstants.ApiKeyJwtInternalIssuer);
Claim subClaim = new Claim(AuthConstants.ClaimSubjectStr, subjectStr);
JwtPayload newPayload = new JwtPayload(new Claim[] { audClaim, issClaim, subClaim });
JwtSecurityToken newToken = new JwtSecurityToken(newHeader, newPayload);
ECDsa pubDsa = ECDsa.Create(dsa.ExportParameters(includePrivateParameters: false));
ECDsaSecurityKey pubSecKey = new ECDsaSecurityKey(pubDsa);
JsonWebKey jwk = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(pubSecKey);
string publicKeyJson = JsonSerializer.Serialize(jwk, new JsonSerializerOptions()
{
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
});
string publicKeyEncoded = Base64UrlEncoder.Encode(publicKeyJson);
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
string output = tokenHandler.WriteToken(newToken);
return(new GeneratedJwtKey(output, subjectStr, publicKeyEncoded));
}
private JsonWebKey CreateJWK()
{
var key = new ECDsaSecurityKey(ECDsa.Create(Curve))
{
KeyId = Guid.NewGuid().ToString()
};
var jwk = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(key);
SaveKey(jwk);
return(jwk);
}
public SecretStorage(RandomStringGenerator randomStringGenerator)
{
var secret = ECDsa.Create(ECCurve.NamedCurves.nistP256);
_ecdSaKey = new ECDsaSecurityKey(secret)
{
KeyId = randomStringGenerator.GetRandomString(20)
};
_key = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(_ecdSaKey);
var publicKey = _ecdSaKey.ECDsa.ExportParameters(false);
//_ellipticCurveJsonWebKeyModel = new EllipticCurveJsonWebKeyModel(_key.KeyId, Base64UrlEncoder.Encode(_key.X), Base64UrlEncoder.Encode(_key.Y), JsonWebKeyECTypes.P256, SecurityAlgorithms.EcdsaSha256);
//_ellipticCurveJsonWebKeyModel = new EllipticCurveJsonWebKeyModel(_key.KeyId, _key.X, _key.Y, JsonWebKeyECTypes.P256, SecurityAlgorithms.EcdsaSha256);
_ellipticCurveJsonWebKeyModel = new EllipticCurveJsonWebKeyModel(_ecdSaKey.KeyId, Base64UrlEncoder.Encode(publicKey.Q.X), Base64UrlEncoder.Encode(publicKey.Q.Y), JsonWebKeyECTypes.P256, SecurityAlgorithms.EcdsaSha256);
}
public static RootOptions UseApiKey(this RootOptions options, string algorithmName, string subject, JwtPayload customPayload, out string token, out SecurityKey privateKey)
{
if (null == options.Authentication)
{
options.Authentication = new AuthenticationOptions();
}
if (null == options.Authentication.MonitorApiKey)
{
options.Authentication.MonitorApiKey = new MonitorApiKeyOptions();
}
SigningCredentials signingCreds;
JsonWebKey exportableJwk;
switch (algorithmName)
{
case SecurityAlgorithms.EcdsaSha256:
case SecurityAlgorithms.EcdsaSha256Signature:
case SecurityAlgorithms.EcdsaSha384:
case SecurityAlgorithms.EcdsaSha384Signature:
case SecurityAlgorithms.EcdsaSha512:
case SecurityAlgorithms.EcdsaSha512Signature:
ECDsa ecDsa = ECDsa.Create(GetEcCurveFromName(algorithmName));
ECDsaSecurityKey ecSecKey = new ECDsaSecurityKey(ecDsa);
signingCreds = new SigningCredentials(ecSecKey, algorithmName);
ECDsa pubEcDsa = ECDsa.Create(ecDsa.ExportParameters(false));
ECDsaSecurityKey pubEcSecKey = new ECDsaSecurityKey(pubEcDsa);
exportableJwk = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(pubEcSecKey);
privateKey = ecSecKey;
break;
case SecurityAlgorithms.RsaSha256:
case SecurityAlgorithms.RsaSha256Signature:
case SecurityAlgorithms.RsaSha384:
case SecurityAlgorithms.RsaSha384Signature:
case SecurityAlgorithms.RsaSha512:
case SecurityAlgorithms.RsaSha512Signature:
RSA rsa = RSA.Create(GetRsaKeyLengthFromName(algorithmName));
RsaSecurityKey rsaSecKey = new RsaSecurityKey(rsa);
signingCreds = new SigningCredentials(rsaSecKey, algorithmName);
RSA pubRsa = RSA.Create(rsa.ExportParameters(false));
RsaSecurityKey pubRsaSecKey = new RsaSecurityKey(pubRsa);
exportableJwk = JsonWebKeyConverter.ConvertFromRSASecurityKey(pubRsaSecKey);
privateKey = rsaSecKey;
break;
case SecurityAlgorithms.HmacSha256:
case SecurityAlgorithms.HmacSha384:
case SecurityAlgorithms.HmacSha512:
HMAC hmac = HMAC.Create(GetHmacAlgorithmFromName(algorithmName));
SymmetricSecurityKey hmacSecKey = new SymmetricSecurityKey(hmac.Key);
signingCreds = new SigningCredentials(hmacSecKey, algorithmName);
exportableJwk = JsonWebKeyConverter.ConvertFromSymmetricSecurityKey(hmacSecKey);
privateKey = hmacSecKey;
break;
default:
throw new ArgumentException($"Algorithm name '{algorithmName}' not supported", nameof(algorithmName));
}
JwtHeader newHeader = new JwtHeader(signingCreds, null, JwtConstants.HeaderType);
JwtSecurityToken newToken = new JwtSecurityToken(newHeader, customPayload);
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
string resultToken = tokenHandler.WriteToken(newToken);
JsonSerializerOptions serializerOptions = JsonSerializerOptionsFactory.Create(JsonSerializerOptionsFactory.JsonIgnoreCondition.WhenWritingNull);
string publicKeyJson = JsonSerializer.Serialize(exportableJwk, serializerOptions);
string publicKeyEncoded = Base64UrlEncoder.Encode(publicKeyJson);
options.Authentication.MonitorApiKey.Subject = subject;
options.Authentication.MonitorApiKey.PublicKey = publicKeyEncoded;
token = resultToken;
return(options);
}