/// <inheritsdoc />
public override bool TryUnwrapKey(ReadOnlySpan <byte> keyBytes, Span <byte> destination, JwtHeaderDocument header, out int bytesWritten)
{
if (!header.TryGetHeaderParameter(JwtHeaderParameterNames.P2c.EncodedUtf8Bytes, out JwtElement p2c))
{
ThrowHelper.ThrowJwtDescriptorException_HeaderIsRequired(JwtHeaderParameterNames.P2c);
}
if (!header.TryGetHeaderParameter(JwtHeaderParameterNames.P2s.EncodedUtf8Bytes, out JwtElement p2s))
{
ThrowHelper.ThrowJwtDescriptorException_HeaderIsRequired(JwtHeaderParameterNames.P2s);
}
int iterationCount = (int)p2c.GetInt64();
var b64p2s = p2s.GetRawValue();
int p2sLength = Base64Url.GetArraySizeRequiredToDecode(b64p2s.Length);
Span <byte> salt = stackalloc byte[p2sLength + 1 + _algorithmNameLength];
Base64Url.Decode(b64p2s.Span, salt.Slice(_algorithmNameLength + 1));
salt[_algorithmNameLength] = 0x00;
_algorithm.EncodedUtf8Bytes.CopyTo(salt);
Span <byte> derivedKey = stackalloc byte[_keySizeInBytes];
Pbkdf2.DeriveKey(_password, salt, _hashAlgorithm, (uint)iterationCount, derivedKey);
using var keyUnwrapper = new AesKeyUnwrapper(derivedKey, EncryptionAlgorithm, _keyManagementAlgorithm);
return(keyUnwrapper.TryUnwrapKey(keyBytes, destination, header, out bytesWritten));
}
/// <inheritsdoc />
public override SymmetricJwk WrapKey(Jwk?staticKey, JwtHeader header, Span <byte> destination)
{
if (header is null)
{
ThrowHelper.ThrowArgumentNullException(ExceptionArgument.header);
}
var contentEncryptionKey = CreateSymmetricKey(EncryptionAlgorithm, (SymmetricJwk?)staticKey);
Span <byte> buffer = stackalloc byte[_saltSizeInBytes + 1 + _algorithmNameLength];
_saltGenerator.Generate(buffer.Slice(_algorithmNameLength + 1));
buffer[_algorithmNameLength] = 0x00;
_algorithm.EncodedUtf8Bytes.CopyTo(buffer);
Span <byte> derivedKey = stackalloc byte[_keySizeInBytes];
Pbkdf2.DeriveKey(_password, buffer, _hashAlgorithm, _iterationCount, derivedKey);
Span <byte> salt = buffer.Slice(_algorithmNameLength + 1, _saltSizeInBytes);
Span <byte> b64Salt = stackalloc byte[Base64Url.GetArraySizeRequiredToEncode(salt.Length)];
Base64Url.Encode(salt, b64Salt);
header.Add(JwtHeaderParameterNames.P2s, Utf8.GetString(b64Salt));
header.Add(JwtHeaderParameterNames.P2c, _iterationCount);
using var keyWrapper = new AesKeyWrapper(derivedKey, EncryptionAlgorithm, _keyManagementAlgorithm);
return(keyWrapper.WrapKey(contentEncryptionKey, header, destination));
}
/// <inheritsdoc />
public override SymmetricJwk WrapKey(Jwk?staticKey, JwtHeader header, Span <byte> destination)
{
if (header is null)
{
ThrowHelper.ThrowArgumentNullException(ExceptionArgument.header);
}
var contentEncryptionKey = CreateSymmetricKey(EncryptionAlgorithm, (SymmetricJwk?)staticKey);
int bufferSize = _saltSizeInBytes + _algorithmNameLength + 1;
byte[]? bufferToReturn = null;
Span <byte> buffer = bufferSize > Pbkdf2.SaltSizeThreshold + 18 + 1 // 18 = max alg name length
? (bufferToReturn = ArrayPool <byte> .Shared.Rent(bufferSize))
: stackalloc byte[Pbkdf2.SaltSizeThreshold + 18 + 1];
buffer = buffer.Slice(0, bufferSize);
_saltGenerator.Generate(buffer.Slice(_algorithmNameLength + 1));
buffer[_algorithmNameLength] = 0x00;
_algorithm.EncodedUtf8Bytes.CopyTo(buffer);
Span <byte> derivedKey = stackalloc byte[KeySizeThreshold].Slice(0, _keySizeInBytes);
Pbkdf2.DeriveKey(_password, buffer, _hashAlgorithm, _iterationCount, derivedKey);
Span <byte> salt = buffer.Slice(_algorithmNameLength + 1, _saltSizeInBytes);
int saltLengthB64 = Base64Url.GetArraySizeRequiredToEncode(salt.Length);
byte[]? arrayToReturn = null;
Span <byte> b64Salt = saltLengthB64 > Pbkdf2.SaltSizeThreshold * 4 / 3
? (arrayToReturn = ArrayPool <byte> .Shared.Rent(saltLengthB64))
: stackalloc byte[Pbkdf2.SaltSizeThreshold * 4 / 3];
try
{
int length = Base64Url.Encode(salt, b64Salt);
header.Add(JwtHeaderParameterNames.P2s, Utf8.GetString(b64Salt.Slice(0, saltLengthB64)));
header.Add(JwtHeaderParameterNames.P2c, _iterationCount);
using var keyWrapper = new AesKeyWrapper(derivedKey, EncryptionAlgorithm, _keyManagementAlgorithm);
return(keyWrapper.WrapKey(contentEncryptionKey, header, destination));
}
finally
{
if (bufferToReturn != null)
{
ArrayPool <byte> .Shared.Return(bufferToReturn);
}
if (arrayToReturn != null)
{
ArrayPool <byte> .Shared.Return(arrayToReturn);
}
}
}