private static JweToken ParseJson(IDictionary <string, object> json)
{
var recipients = new List <JweRecipient>();
IEnumerable _recipients = Dictionaries.Get <IEnumerable>(json, "recipients");
if (_recipients != null)
{
foreach (IDictionary <string, object> recipient in _recipients)
{
byte[] encryptedCek = Base64Url.Decode(Dictionaries.Get <string>(recipient, "encrypted_key"));
recipients.Add(new JweRecipient(encryptedCek, Dictionaries.Get <IDictionary <string, object> >(recipient, "header")));
}
}
else if (recipients.Count == 0)
{
byte[] encryptedCek = Base64Url.Decode(Dictionaries.Get <string>(json, "encrypted_key"));
recipients.Add(new JweRecipient(encryptedCek, new Dictionary <string, object> {
{ "alg", "A256KW" }
}));
//recipients.Add(new JweRecipient(encryptedCek, Dictionaries.Get<IDictionary<string, object>>(json, "header")));
}
var _protected = Dictionaries.Get <string>(json, "protected");
var _aad = Dictionaries.Get <string>(json, "aad");
return(new JweToken(
protectedHeaderBytes: _protected == null ? new byte[0] : Base64Url.Decode(_protected),
unprotectedHeader: Dictionaries.Get <IDictionary <string, object> >(json, "unprotected"),
aad: _aad == null ? null : Base64Url.Decode(_aad),
recipients: recipients,
iv: Base64Url.Decode(Dictionaries.Get <string>(json, "iv")),
ciphertext: Base64Url.Decode(Dictionaries.Get <string>(json, "ciphertext")),
authTag: Base64Url.Decode(Dictionaries.Get <string>(json, "tag")),
encoding: SerializationMode.Json));
}
/// <summary>
/// Encrypts given binary plaintext using JWE and applies requested encryption/compression algorithms.
/// </summary>
/// <param name="plaintext">Binary data to encrypt (not null)</param>
/// <param name="recipients">The details of who to encrypt the plaintext (or rather the CEK) to.</param>
/// <param name="enc">encryption algorithm to be used to encrypt the plaintext.</param>
/// <param name="aad">additional authentication data (SerializationMode.Json only)</param>
/// <param name="mode">serialization mode to use. Note only one recipient can be specified for compact and flattened json serialization.</param>
/// <param name="compression">optional compression type to use.</param>
/// <param name="extraProtectedHeaders">optional extra headers to put in the protected header.</param>
/// <param name="unprotectedHeaders">optional unprotected headers</param>
/// <param name="settings">optional settings to override global DefaultSettings</param>
/// <returns>JWT in compact serialization form, encrypted and/or compressed.</returns>
public static string EncryptBytes(byte[] plaintext, IEnumerable <JweRecipient> recipients, JweEncryption enc, byte[] aad = null, SerializationMode mode = SerializationMode.Json, JweCompression?compression = null, IDictionary <string, object> extraProtectedHeaders = null, IDictionary <string, object> unprotectedHeaders = null, JwtSettings settings = null)
{
if (plaintext == null)
{
throw new ArgumentNullException(nameof(plaintext));
}
settings = GetSettings(settings);
IJweAlgorithm _enc = settings.Jwe(enc);
if (_enc == null)
{
throw new JoseException(string.Format("Unsupported JWE enc requested: {0}", enc));
}
//IDictionary<string, object> joseProtectedHeader = Dictionaries.MergeHeaders(
// new Dictionary<string, object> { { "enc", settings.JweHeaderValue(enc) } },
// extraProtectedHeaders);
IDictionary <string, object> joseProtectedHeader = Dictionaries.MergeHeaders();
byte[] cek = null;
var recipientsOut = new List <JweRecipient>();
foreach (var recipient in recipients)
{
joseProtectedHeader = Dictionaries.MergeHeaders(
new Dictionary <string, object> {
{ "alg", settings.JwaHeaderValue(recipient.Alg) }
},
new Dictionary <string, object> {
{ "enc", settings.JweHeaderValue(enc) }
}, extraProtectedHeaders);
IKeyManagement keys = settings.Jwa(recipient.Alg);
if (keys == null)
{
throw new JoseException(string.Format("Unsupported JWE alg requested: {0}", recipient.Alg));
}
// joseHeader - is merge of headers
// - key management will read from (e.g. enc,apv,apu - ECDH-ES)
//// - key management will write to (e.g. iv, tag - AesGcmKW)
IDictionary <string, object> joseHeader = Dictionaries.MergeHeaders(
joseProtectedHeader,
recipient.Header,
unprotectedHeaders
);
byte[] encryptedCek;
if (cek == null)
{
byte[][] contentKeys = keys.WrapNewKey(_enc.KeySize, recipient.Key, joseHeader);
cek = contentKeys[0];
encryptedCek = contentKeys[1];
}
else
{
encryptedCek = keys.WrapKey(cek, recipient.Key, joseHeader);
}
// For the per-receipient header we want the headers from the result of IKeyManagements key wrapping but without the
// shared headers
IDictionary <string, object> recipientHeader = joseHeader
.Where(
kvp => !joseProtectedHeader.ContainsKey(kvp.Key) &&
(unprotectedHeaders == null || !unprotectedHeaders.ContainsKey(kvp.Key))
)
.ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
recipientsOut.Add(new JweRecipient(encryptedCek, recipientHeader));
}
if (compression.HasValue)
{
joseProtectedHeader["zip"] = settings.CompressionHeader(compression.Value);
plaintext = settings.Compression(compression.Value).Compress(plaintext);
}
switch (mode)
{
case SerializationMode.Compact:
{
if (recipientsOut.Count != 1)
{
throw new JoseException("Only one recipient is supported by the JWE Compact Serialization.");
}
if (aad != null)
{
throw new JoseException("JWE AAD value is not valid for JWE Compact Serialization.");
}
joseProtectedHeader = Dictionaries.MergeHeaders(recipientsOut[0].Header, joseProtectedHeader);
byte[] header = Encoding.UTF8.GetBytes(settings.JsonMapper.Serialize(joseProtectedHeader));
aad = Encoding.UTF8.GetBytes(Compact.Serialize(header));
byte[][] encParts = _enc.Encrypt(aad, plaintext, cek);
return(new JweToken(
header,
null,
recipientsOut,
null,
encParts[0],
encParts[1],
encParts[2],
mode)
.AsString());
}
case SerializationMode.Json:
{
var protectedHeaderBytes = Encoding.UTF8.GetBytes(settings.JsonMapper.Serialize(joseProtectedHeader));
byte[] asciiEncodedProtectedHeader = Encoding.ASCII.GetBytes(Base64Url.Encode(protectedHeaderBytes));
byte[][] encParts = _enc.Encrypt(Aad(protectedHeaderBytes, aad), plaintext, cek);
return(new JweToken(
protectedHeaderBytes,
unprotectedHeaders,
recipientsOut,
aad,
encParts[0],
encParts[1],
encParts[2],
mode)
.AsString(settings.JsonMapper));
}
default:
throw new JoseException($"Unsupported serializtion mode: {mode}.");
}
}
private static byte[] Aad(byte[] protectedHeader, byte[] aad = null)
{
return(aad == null?
Encoding.ASCII.GetBytes(Base64Url.Encode(protectedHeader)) :
Encoding.ASCII.GetBytes(string.Concat(Base64Url.Encode(protectedHeader), ".", Base64Url.Encode(aad))));
}
/// <summary>
/// Serialize token according to serialization mode
/// </summary>
public string AsString(IJsonMapper mapper = null)
{
if (Encoding == SerializationMode.Compact)
{
return(Compact.Serialize(ProtectedHeaderBytes, Recipients[0].EncryptedCek, Iv, Ciphertext, AuthTag));
}
var json = new Dictionary <string, object>()
{
{ "ciphertext", Base64Url.Encode(Ciphertext) },
{ "protected", Base64Url.Encode(ProtectedHeaderBytes) },
{ "iv", Base64Url.Encode(Iv) },
{ "tag", Base64Url.Encode(AuthTag) }
};
if (Aad != null)
{
json["aad"] = Base64Url.Encode(Aad);
}
if (UnprotectedHeader != null)
{
json["unprotected"] = UnprotectedHeader;
}
var recipientList = new List <object>();
foreach (var recipient in Recipients)
{
recipientList.Add(
new Dictionary <string, object> {
//{ "header", recipient.Header },
{ "encrypted_key", Base64Url.Encode(recipient.EncryptedCek) }
}
);
}
json["recipients"] = recipientList;
#region commecnted actual code and added same patch as per modification response
//if (Recipients.Count == 1)
//{
// json["header"] = Recipients[0].Header;
// json["encrypted_key"] = Base64Url.Encode(Recipients[0].EncryptedCek);
//}
//else
//{
// var recipientList = new List<object>();
// foreach (var recipient in Recipients)
// {
// recipientList.Add(
// new Dictionary<string, object> {
// //{ "header", recipient.Header },
// { "encrypted_key", Base64Url.Encode(recipient.EncryptedCek) }
// }
// );
// }
// json["recipients"] = recipientList;
//}
#endregion
return(mapper.Serialize(json));
}
