private static void ValidateDecryption(JwtTokenDecryptionParameters decryptionParameters, bool decryptionSucceeded, bool algorithmNotSupportedByCryptoProvider, StringBuilder exceptionStrings, StringBuilder keysAttempted) { if (!decryptionSucceeded && keysAttempted.Length > 0) { throw LogHelper.LogExceptionMessage(new SecurityTokenDecryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10603, keysAttempted, exceptionStrings, decryptionParameters.EncodedToken))); } if (!decryptionSucceeded && algorithmNotSupportedByCryptoProvider) { throw LogHelper.LogExceptionMessage(new SecurityTokenDecryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10619, LogHelper.MarkAsNonPII(decryptionParameters.Alg), LogHelper.MarkAsNonPII(decryptionParameters.Enc)))); } if (!decryptionSucceeded) { throw LogHelper.LogExceptionMessage(new SecurityTokenDecryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10609, decryptionParameters.EncodedToken))); } }
private static byte[] DecryptToken(CryptoProviderFactory cryptoProviderFactory, SecurityKey key, JwtTokenDecryptionParameters decryptionParameters) { using (AuthenticatedEncryptionProvider decryptionProvider = cryptoProviderFactory.CreateAuthenticatedEncryptionProvider(key, decryptionParameters.Enc)) { if (decryptionProvider == null) { throw LogHelper.LogExceptionMessage(new InvalidOperationException(LogHelper.FormatInvariant(TokenLogMessages.IDX10610, key, LogHelper.MarkAsNonPII(decryptionParameters.Enc)))); } return(decryptionProvider.Decrypt( Base64UrlEncoder.DecodeBytes(decryptionParameters.Ciphertext), Encoding.ASCII.GetBytes(decryptionParameters.EncodedHeader), Base64UrlEncoder.DecodeBytes(decryptionParameters.InitializationVector), Base64UrlEncoder.DecodeBytes(decryptionParameters.AuthenticationTag))); } }
/// <summary> /// Decrypts a Json Web Token. /// </summary> /// <param name="jwtToken">The Json Web Token</param> /// <param name="validationParameters">The validation parameters containing cryptographic material.</param> /// <param name="decryptionParameters">The decryption parameters container.</param> /// <returns>The decrypted, and if the 'zip' claim is set, decompressed string representation of the token.</returns> internal static string DecryptJwtToken( SecurityToken jwtToken, TokenValidationParameters validationParameters, JwtTokenDecryptionParameters decryptionParameters) { if (validationParameters == null) { throw LogHelper.LogArgumentNullException(nameof(validationParameters)); } if (decryptionParameters == null) { throw LogHelper.LogArgumentNullException(nameof(decryptionParameters)); } bool decryptionSucceeded = false; bool algorithmNotSupportedByCryptoProvider = false; byte[] decryptedTokenBytes = null; // keep track of exceptions thrown, keys that were tried var exceptionStrings = new StringBuilder(); var keysAttempted = new StringBuilder(); foreach (SecurityKey key in decryptionParameters.Keys) { var cryptoProviderFactory = validationParameters.CryptoProviderFactory ?? key.CryptoProviderFactory; if (cryptoProviderFactory == null) { LogHelper.LogWarning(TokenLogMessages.IDX10607, key); continue; } if (!cryptoProviderFactory.IsSupportedAlgorithm(decryptionParameters.Enc, key)) { algorithmNotSupportedByCryptoProvider = true; LogHelper.LogWarning(TokenLogMessages.IDX10611, LogHelper.MarkAsNonPII(decryptionParameters.Enc), key); continue; } try { Validators.ValidateAlgorithm(decryptionParameters.Enc, key, jwtToken, validationParameters); decryptedTokenBytes = DecryptToken(cryptoProviderFactory, key, decryptionParameters); decryptionSucceeded = true; break; } catch (Exception ex) { exceptionStrings.AppendLine(ex.ToString()); } if (key != null) { keysAttempted.AppendLine(key.ToString()); } } ValidateDecryption(decryptionParameters, decryptionSucceeded, algorithmNotSupportedByCryptoProvider, exceptionStrings, keysAttempted); if (string.IsNullOrEmpty(decryptionParameters.Zip)) { return(Encoding.UTF8.GetString(decryptedTokenBytes)); } try { return(decryptionParameters.DecompressionFunction(decryptedTokenBytes, decryptionParameters.Zip)); } catch (Exception ex) { throw LogHelper.LogExceptionMessage(new SecurityTokenDecompressionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10679, decryptionParameters.Zip), ex)); } }