public string Decrypt(JweConfig config)
{
byte[] unwrappedKey = RsaEncryption.UnwrapSecretKey(config, Base64Utils.URLDecode(EncryptedKey), "SHA-256");
if (unwrappedKey == null)
{
throw new EncryptionException(String.Format("Failed to unwrap key {0}", EncryptedKey));
}
string encryptionMethod = Header.Enc;
byte[] plaintext;
if (A256GCM.Equals(encryptionMethod))
{
plaintext = AesGcm.Decrypt(unwrappedKey, this);
}
else if (A128CBC_HS256.Equals(encryptionMethod))
{
plaintext = AesCbc.Decrypt(unwrappedKey, this);
}
else
{
throw new EncryptionException(String.Format("Encryption method {0} is not supported", encryptionMethod));
}
return(Encoding.UTF8.GetString(plaintext));
}
public static string Encrypt(JweConfig config, String payload, JweHeader header)
{
byte[] cek = AesEncryption.GenerateCek(256);
byte[] encryptedSecretKeyBytes = RsaEncryption.WrapSecretKey(config.EncryptionCertificate.GetRSAPublicKey(), cek, "SHA-256");
string encryptedKey = Base64Utils.URLEncode(encryptedSecretKeyBytes);
byte[] iv = AesEncryption.GenerateIV();
byte[] payloadBytes = Encoding.UTF8.GetBytes(payload);
string headerString = header.Json.ToString();
string encodedHeader = Base64Utils.URLEncode(Encoding.UTF8.GetBytes(headerString));
byte[] aad = Encoding.ASCII.GetBytes(encodedHeader);
var encrypted = AesGcm.Encrypt(cek, iv, payloadBytes, aad);
return(Serialize(encodedHeader, encryptedKey, Base64Utils.URLEncode(iv), Base64Utils.URLEncode(encrypted.Ciphertext), Base64Utils.URLEncode(encrypted.AuthTag)));
}
public static string DecryptPayload(string payload, JweConfig config)
{
try
{
// Parse the given payload
JToken json = JObject.Parse(payload);
// Perform decryption
foreach (var entry in config.DecryptionPaths)
{
string jsonPathIn = entry.Key;
string jsonPathOut = entry.Value;
json = DecryptPayloadPath(json, jsonPathIn, jsonPathOut, config);
}
return(json.ToString());
}
catch (Exception ex)
{
throw new EncryptionException("Payload decryption failed!", ex);
}
}
private static JToken DecryptPayloadPath(JToken payload, string jsonPathIn, string jsonPathOut, JweConfig config)
{
JToken token = payload.SelectToken(jsonPathIn);
if (JsonUtils.IsNullOrEmptyJson(token))
{
// Nothing to decrypt
return(payload);
}
// Read and remove encrypted data and encryption fields at the given JSON path
string encryptedValue = ReadAndDeleteJsonKey(payload, token, config.EncryptedValueFieldName);
if (string.IsNullOrEmpty(encryptedValue))
{
// Nothing to decrypt
return(payload);
}
JweObject jweObject = JweObject.Parse(encryptedValue);
string decryptedValue = jweObject.Decrypt(config);
if ("$".Equals(jsonPathOut))
{
return(JObject.Parse(decryptedValue));
}
JsonUtils.CheckOrCreateOutObject(payload, jsonPathOut);
JsonUtils.AddDecryptedDataToPayload(payload, decryptedValue, jsonPathOut);
// Remove the input
token = payload.SelectToken(jsonPathIn);
if (null != token && token.Parent != null)
{
token.Parent.Remove();
}
return(payload);
}
private static JToken EncryptPayloadPath(JToken json, string jsonPathIn, string jsonPathOut, JweConfig config)
{
JToken token = json.SelectToken(jsonPathIn);
if (JsonUtils.IsNullOrEmptyJson(token))
{
// Nothing to encrypt
return(json);
}
// Encode and encrypt
string inJsonString = JsonUtils.SanitizeJson(token.ToString(Formatting.None));
JweHeader header = new JweHeader(ALGORITHM, ENCRYPTION, config.EncryptionKeyFingerprint, CONTENT_TYPE);
string encrypted = JweObject.Encrypt(config, inJsonString, header);
// Delete data in the clear
if ("$".Equals(jsonPathIn))
{
// Create a new object
json = JObject.Parse("{}");
}
else
{
token.Parent.Remove();
}
JsonUtils.CheckOrCreateOutObject(json, jsonPathOut);
var outJsonToken = json.SelectToken(jsonPathOut) as JObject;
JsonUtils.AddOrReplaceJsonKey(outJsonToken, config.EncryptedValueFieldName, encrypted);
return(outJsonToken);
}
/// <summary>
/// Constructor.
/// </summary>
public RestSharpJweEncryptionInterceptor(JweConfig config)
{
_config = config;
}
