/// <summary>
/// Create a JWT token with specified parameters. Documentation: https://github.com/CommunityHiQ/Frends.Community.JWT.CreateToken
/// </summary>
/// <param name="parameters">Parameters for the token creation</param>
/// <returns>string</returns>
public static string CreateJwtToken(CreateJwtTokenParameters parameters)
{
var handler = new JwtSecurityTokenHandler();
using (var stream = new MemoryStream(Encoding.UTF8.GetBytes(parameters.PrivateKey)))
using (var reader = new PemReader(stream))
{
var rsaParameters = reader.ReadRsaKey();
var key = new RsaSecurityKey(rsaParameters);
var signingCredentials = new SigningCredentials(key, SecurityAlgorithms.RsaSha256);
var claims = new ClaimsIdentity();
if (parameters.Claims != null)
{
foreach (var claim in parameters.Claims)
{
claims.AddClaim(new Claim(claim.ClaimKey, claim.ClaimValue));
}
}
// Create JWT
var token = handler.CreateJwtSecurityToken(new SecurityTokenDescriptor
{
Issuer = parameters.Issuer,
Audience = parameters.Audience,
Expires = parameters.Expires,
NotBefore = parameters.NotBefore,
Subject = claims,
SigningCredentials = signingCredentials,
});
return(handler.WriteToken(token));
}
}
static async Task Main(string[] args)
{
IdentityModelEventSource.ShowPII = true;
var handler = new HttpClientHandler
{
ServerCertificateCustomValidationCallback = delegate { return(true); }
};
using var authClient = new HttpClient(handler)
{
BaseAddress = new Uri("https://*****:*****@"C:\Users\canale\.ssh\id_rsa"));
_authKey = new RsaSecurityKey(pemReader.ReadRsaKey());
_listener = new HttpListener();
_listener.Prefixes.Add("http://localhost:7002/");
_listener.Start();
var listenerThread = new Thread(ListenProcedure);
listenerThread.Start();
Console.ReadLine();
_listener.Close();
}
private RSA GetProveedorRSA()
{
var rsa = RSA.Create();
if (claveRSA.Equals(new RSAParameters()))
{
try
{
using (var ficheroClave = File.OpenRead(fichero))
{
using (var pem = new PemReader(ficheroClave))
{
claveRSA = pem.ReadRsaKey();
}
}
}
catch (Exception ex)
{
log.Error($"ERR SERVICIOSEGURIDAD (GetProveedorRSA) - {ex.Message}");
}
}
rsa.ImportParameters(claveRSA);
return(rsa);
}
private static void ConfigureJwtBearer(IServiceCollection services, JwtBearerOptions config,
IdentityConfig identityConfig)
{
config.RequireHttpsMetadata = false;
config.SaveToken = false;
config.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
ValidateActor = true,
ValidateAudience = true,
ValidIssuer = identityConfig.Issuer,
ValidAudiences = identityConfig.Audiences.ToArray(),
ClockSkew = TimeSpan.Zero,
IssuerSigningKeyResolver = (token, securityToken, kid, parameters) =>
{
// todo: I know this .Result is a very bad idea (converting from async to sync)
// however there's no other way to do this, signing key resolver doesn't have a
// async version of this method, they are looking into it though
// https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/468
var key = services.BuildServiceProvider().GetRequiredService <IKeyResolver>()
.ResolveKey(kid).Result;
var pemReader = new PemReader(new MemoryStream(Encoding.UTF8.GetBytes(key)));
var publicKeyParameters = pemReader.ReadRsaKey();
return(new[] { new RsaSecurityKey(publicKeyParameters) });
}
};
}
private void GetP()
{
System.IO.Stream stream = null;
using (var reader = new PemReader(stream))
{
var rsaParameters = reader.ReadRsaKey();
}
}
public static RSAParameters ReadRSA(string name)
{
using (var stream = ReadStream(name)) {
using (var reader = new PemReader(stream)) {
return(reader.ReadRsaKey());
}
}
}
public void LoadRSA(bool privateKey)
{
using (var fs = File.OpenRead(privateKey ? _privateFileName : _publicFileName))
{
using (var pem = new PemReader(fs))
_rsa = RSA.Create(pem.ReadRsaKey());
}
}
/// <summary>
/// Export the private key to a PEM format string
/// </summary>
/// <param name="pem">the RSA key</param>
/// <returns>the RSA key</returns>
public static RSAParameters ReadAsRSAKey(this string pem)
{
var key = default(RSAParameters);
using (var stream = new MemoryStream(Encoding.UTF8.GetBytes(pem)))
using (var reader = new PemReader(stream)) {
key = reader.ReadRsaKey();
}
return(key);
}
public static RSAParameters GetParameters()
{
HttpWebRequest request = HttpWebRequest.CreateHttp(SERVER_PUBLIC_KEY_URL);
request.Method = WebRequestMethods.Http.Get;
using (Stream str = request.GetResponse().GetResponseStream())
using (PemReader reader = new PemReader(str))
return(reader.ReadRsaKey());
}
public void ReadRsaKey_PrivateKey_WithLinuxLineEndings()
{
var pem = "-----BEGIN RSA PRIVATE KEY-----\n"
+ "MIIEpAIBAAKCAQEAzw2rOycv+DqPhxJ/XZDsALH0WIn/Yyk97TGKhYME6CuybqlJ\n"
+ "BVTbpd2th2Fw/bDTwIHXr2wYJubX9b4G0gfVIwemq1rZyyJu2SxoOEK4BQg5s8po\n"
+ "Qh0Uq5KadP5DVvxk0AkIUySBCvNU+AHxRFJtJ6UZTjtUVYv2Yie+3YWhN3uDZ5ki\n"
+ "mjB7VSZqgdgnMpfx8kDTtGFHpA1oQNt71z3nyXPRTxZXGlYZlgGNEmv+cd3wYuuQ\n"
+ "0LnqZf3thXZfXYd0ASWhfdq0BxGT8WbThk8y6y9/aHsEtaf4QSpc8idVXPu0BwR8\n"
+ "P4p5lGzY11a5YERPOCl5BiaHYPgUJxzPnkFipwIDAQABAoIBAA26MUUNtw91CnkB\n"
+ "D/KrHgp5weJw276+SD3GkBGD+zpNU1ok3RN+acWYad3U5wHazF8x/JPDzeIeYekH\n"
+ "/TnFjSryYelwb4oZMVIysIIyYjLrNbAm1jyz4t/xK05gYSSOPTzRrHyeqfOI6HQ8\n"
+ "5LsL3/LF7mSSaGf3jJE7Y1sadfLQneSUhLMjDksl+o914P/WrV/LGcZ7O6noZ3Vg\n"
+ "e8zPGlPciPVOBqHqtWzxyTxbtycIUPW7GKbZjaWMwRwLnI5U+hcoGQgHsRUUJMcw\n"
+ "iGubcScdlOHCnorxM79sgjnko4RD+DUZGU/if/oNRS6dhIvaWCIrt+4lHhpHhZGI\n"
+ "d16tLCECgYEA+uOWmE91jbACXylQ+GSAchUfAmeqtf2e23TlXzScleEay/elSbf6\n"
+ "/HgUhUiUXCa2r+3d6kbEhoKy4Hed1Jm19rYBBIMSLZR0R3Il987x6WAnx+xrkfSW\n"
+ "I3Z8fHJoCtTfS/hXA+W/Snr0WlFUMgwaEZzd3FEIU62ZizKgjO1c67ECgYEA00V5\n"
+ "L2a7FGa684RWXxNmFX0ROmAn3Dt9urT8lRsfsRARF52dPqSthS/iLchBIGTBUtZD\n"
+ "5EnX5ttu88o5XkjxOLRrPsMBBW4fk1stUgQVifeDrlUG4yMf7lNLrkbmJy+0cl0y\n"
+ "me9l+HMhOPKdLfyebadSy1HlkR8nKSaQW3y3wdcCgYEA8vIL1DWtmaSEx22U0NNR\n"
+ "Zid5vbRxJIYRnGVX75dcwe4XKsgGMJqN2ojVJjOgJpP+d+IY8FHS4IYTfTWXilXG\n"
+ "VL7twVbC9Yw6BS1OAudMbjcEjp4rlEyKTpDf/woyIbr89+3lJQsG77KciBEVPNln\n"
+ "LQL/++Yj8BO9CYPe4FjBkCECgYEAmkKj1YSBHMhVwPDjz8/uPcpwBdunvxqBFw6H\n"
+ "TqfbYAGHOWMQKWk8eX8Y+qy5QNnQfpeMQufYCOw3+zGw6bMAzpKNq+nemQRrccCl\n"
+ "OrlYsMBVGbljqf0/l1iibcG+0uX2L3r1M4ilP99wZpBfS/CkDRSbU3Gc2XWRtm4+\n"
+ "AU7zLUkCgYBFVjQVyvkjNdnpKmFn3NCP5ELDj13dovK/ma75Paw+U9J1+4bIf+0O\n"
+ "hulF6wVUOJKlef7v7S7q4EM7WrbPXpI/Cqyn7B4Q/C0oWL0VCbceUgtvG6qTy8pd\n"
+ "AUxk9W0PnYDK7Sw+jv8iN0zNNr1SqZc37YLy2R1eD0R+3+RQHkl63Q==\n"
+ "-----END RSA PRIVATE KEY-----\n";
// Expected data has been derived from https://superdry.apphb.com/tools/online-rsa-key-converter
var expectedModulus = Convert.FromBase64String("zw2rOycv+DqPhxJ/XZDsALH0WIn/Yyk97TGKhYME6CuybqlJBVTbpd2th2Fw/bDTwIHXr2wYJubX9b4G0gfVIwemq1rZyyJu2SxoOEK4BQg5s8poQh0Uq5KadP5DVvxk0AkIUySBCvNU+AHxRFJtJ6UZTjtUVYv2Yie+3YWhN3uDZ5kimjB7VSZqgdgnMpfx8kDTtGFHpA1oQNt71z3nyXPRTxZXGlYZlgGNEmv+cd3wYuuQ0LnqZf3thXZfXYd0ASWhfdq0BxGT8WbThk8y6y9/aHsEtaf4QSpc8idVXPu0BwR8P4p5lGzY11a5YERPOCl5BiaHYPgUJxzPnkFipw==");
var expectedExponent = Convert.FromBase64String("AQAB");
var expectedD = Convert.FromBase64String("DboxRQ23D3UKeQEP8qseCnnB4nDbvr5IPcaQEYP7Ok1TWiTdE35pxZhp3dTnAdrMXzH8k8PN4h5h6Qf9OcWNKvJh6XBvihkxUjKwgjJiMus1sCbWPLPi3/ErTmBhJI49PNGsfJ6p84jodDzkuwvf8sXuZJJoZ/eMkTtjWxp18tCd5JSEsyMOSyX6j3Xg/9atX8sZxns7qehndWB7zM8aU9yI9U4Goeq1bPHJPFu3JwhQ9bsYptmNpYzBHAucjlT6FygZCAexFRQkxzCIa5txJx2U4cKeivEzv2yCOeSjhEP4NRkZT+J/+g1FLp2Ei9pYIiu37iUeGkeFkYh3Xq0sIQ==");
var expectedP = Convert.FromBase64String("+uOWmE91jbACXylQ+GSAchUfAmeqtf2e23TlXzScleEay/elSbf6/HgUhUiUXCa2r+3d6kbEhoKy4Hed1Jm19rYBBIMSLZR0R3Il987x6WAnx+xrkfSWI3Z8fHJoCtTfS/hXA+W/Snr0WlFUMgwaEZzd3FEIU62ZizKgjO1c67E=");
var expectedQ = Convert.FromBase64String("00V5L2a7FGa684RWXxNmFX0ROmAn3Dt9urT8lRsfsRARF52dPqSthS/iLchBIGTBUtZD5EnX5ttu88o5XkjxOLRrPsMBBW4fk1stUgQVifeDrlUG4yMf7lNLrkbmJy+0cl0yme9l+HMhOPKdLfyebadSy1HlkR8nKSaQW3y3wdc=");
var expectedDP = Convert.FromBase64String("8vIL1DWtmaSEx22U0NNRZid5vbRxJIYRnGVX75dcwe4XKsgGMJqN2ojVJjOgJpP+d+IY8FHS4IYTfTWXilXGVL7twVbC9Yw6BS1OAudMbjcEjp4rlEyKTpDf/woyIbr89+3lJQsG77KciBEVPNlnLQL/++Yj8BO9CYPe4FjBkCE=");
var expectedDQ = Convert.FromBase64String("mkKj1YSBHMhVwPDjz8/uPcpwBdunvxqBFw6HTqfbYAGHOWMQKWk8eX8Y+qy5QNnQfpeMQufYCOw3+zGw6bMAzpKNq+nemQRrccClOrlYsMBVGbljqf0/l1iibcG+0uX2L3r1M4ilP99wZpBfS/CkDRSbU3Gc2XWRtm4+AU7zLUk=");
var expectedInverseQ = Convert.FromBase64String("RVY0Fcr5IzXZ6SphZ9zQj+RCw49d3aLyv5mu+T2sPlPSdfuGyH/tDobpResFVDiSpXn+7+0u6uBDO1q2z16SPwqsp+weEPwtKFi9FQm3HlILbxuqk8vKXQFMZPVtD52Ayu0sPo7/IjdMzTa9UqmXN+2C8tkdXg9Eft/kUB5Jet0=");
using (var stream = new MemoryStream(Encoding.UTF8.GetBytes(pem)))
using (var reader = new PemReader(stream))
{
var key = reader.ReadRsaKey();
Assert.That(key.Modulus, Is.EqualTo(expectedModulus));
Assert.That(key.Exponent, Is.EqualTo(expectedExponent));
Assert.That(key.D, Is.EqualTo(expectedD));
Assert.That(key.P, Is.EqualTo(expectedP));
Assert.That(key.Q, Is.EqualTo(expectedQ));
Assert.That(key.DP, Is.EqualTo(expectedDP));
Assert.That(key.DQ, Is.EqualTo(expectedDQ));
Assert.That(key.InverseQ, Is.EqualTo(expectedInverseQ));
}
}
public byte[] DecryptRsa(string filePath, byte[] data)
{
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
using (var stream = File.OpenRead(filePath))
using (var reader = new PemReader(stream))
{
var rsaParameters = reader.ReadRsaKey();
rsa.ImportParameters(rsaParameters);
}
return(rsa.Decrypt(data, false));
}
private static RSA ReadPublicKey(string pemFile)
{
using (var stream = File.OpenRead(pemFile))
{
using (var reader = new PemReader(stream))
{
var rsaParameters = reader.ReadRsaKey();
var rsa = RSA.Create();
rsa.ImportParameters(rsaParameters);
return(rsa);
}
}
}
/// <summary>
/// Read a RSA key from the given PEM file.
/// </summary>
/// <param name="pemFile">Path to the PEM file.</param>
/// <returns>The RSA key read from the PEM file.</returns>
/// <exception cref="ArgumentNullException"><paramref name="pemFile"/> is null.</exception>
public static RSA ReadRsaKey(string pemFile)
{
Contract.NotNull(pemFile, nameof(pemFile));
RSAParameters rsaParams;
using (var pemReader = new PemReader(File.OpenRead(pemFile)))
{
rsaParams = pemReader.ReadRsaKey();
}
return(RSA.Create(rsaParams));
}
public void Initialize(Stream keyStream, string issuer)
{
using var reader = new PemReader(keyStream);
var key = reader.ReadRsaKey();
var algorithm = new RS256Algorithm(RSA.Create(key), RSA.Create(key));
var serializer = new JsonNetSerializer();
var urlEncoder = new JwtBase64UrlEncoder();
_encoder = new JwtEncoder(algorithm, serializer, urlEncoder);
_issuer = issuer;
_initialized = true;
}
private RSA ReadRSA(string filePath = _rsaPrivateKeyFileName)
{
_validationHelpers.ThrowIfNull(filePath, nameof(filePath));
RSA rsa = null;
string fileDir = Path.Combine(_commonHelpers.DefaultFileProvider.BaseDirectory, filePath);
if ((SingletonDictionary <string, RSA> .Instance).ContainsKey(filePath))
{
rsa = (SingletonDictionary <string, RSA> .Instance)[filePath];
}
else
{
if (_commonHelpers.DefaultFileProvider.FileExists(fileDir))
{
using (var stream = File.OpenRead(fileDir))
{
using (var reader = new PemReader(stream))
{
var rsaParameters = reader.ReadRsaKey();
rsa = RSA.Create(rsaParameters);
}
}
(SingletonDictionary <string, RSA> .Instance).Add(filePath, rsa);
}
else
{
rsa = RSA.Create();
(SingletonDictionary <string, RSA> .Instance).Add(filePath, rsa);
using (var stream = File.OpenWrite(fileDir))
{
using (var writer = new PemWriter(stream))
{
writer.WritePrivateKey(rsa);
}
}
using (var stream = File.OpenWrite(Path.Combine(_commonHelpers.DefaultFileProvider.GetParentDirectory(fileDir), _rsaPublicKeyFileName)))
{
using (var writer = new PemWriter(stream))
{
writer.WritePublicKey(rsa);
}
}
}
}
return(rsa);
}
public async Task ReadKeyFromPemFile()
{
try
{
_logger.LogInformation($"PEM Approach.");
var kvUri = "https://devkvpmtengineshared.vault.azure.net/keys/encryption-key/dc190f1de6604bdab494f50d0ce98bb7";
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
RSAParameters rsaParameter;
var stream = new MemoryStream();
var writer = new StreamWriter(stream);
var s = GetPEMString();
writer.Write(s.ToString());
writer.Flush();
stream.Position = 0;
using (var reader = new PemReader(stream))
{
rsaParameter = reader.ReadRsaKey();
}
var plainTextData = "Hello World";
_logger.LogInformation($"PEM Encrypting data using RSA parameters.");
var provider = new RSACryptoServiceProvider();
provider.ImportParameters(rsaParameter);
var bytesPlainTextData = System.Text.Encoding.Unicode.GetBytes(plainTextData);
var edata = provider.Encrypt(bytesPlainTextData, true);
_logger.LogInformation($"PEM Decrpyting....... {edata.Length}");
var decryptedData = await kvClient.DecryptAsync(kvUri, JsonWebKeyEncryptionAlgorithm.RSAOAEP, edata);
var decryptedText = Encoding.Unicode.GetString(decryptedData.Result);
_logger.LogInformation($"PEM Decrpyted data:{decryptedText}");
_logger.LogInformation("PEM Done!");
}
catch (Exception ex)
{
_logger.LogInformation(ex.Message);
}
}
private static TokenValidationParameters CreateTokenValidationParameters(ISignatureKeyResolver keyResolver, KeyStoreConfig keyStoreConfig)
{
if (keyStoreConfig.Bypass)
{
Log.Fatal("!!!!!! Bypassing security signature, THIS CANNOT RUN ON PRODUCTION");
// This allows us to reproduce production scenarios and step into the code using a legit JWT without
// exposing the key service publicly
return(new TokenValidationParameters
{
ValidateIssuer = false,
ValidIssuer = "GenericCompany",
ValidateAudience = false,
ValidAudiences = new [] { "GenericCompany" },
ValidateIssuerSigningKey = false,
SignatureValidator = (token, parameters) => new JwtSecurityToken(token),
RequireExpirationTime = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero,
RequireSignedTokens = false
});
}
return(new TokenValidationParameters
{
ValidateIssuer = true,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
ValidateActor = true,
ValidateAudience = true,
ValidIssuer = "GenericCompany",
ValidAudiences = new[] { "GenericCompany" },
ClockSkew = TimeSpan.Zero,
IssuerSigningKeyResolver = (token, securityToken, kid, parameters) =>
{
// todo: I know this .Result is a very bad idea (converting from async to sync)
// however there's no other way to do this, signing key resolver doesn't have a
// async version of this method, they are looking into it though
// https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/468
var key = keyResolver.ResolveKey(kid).Result;
var pemReader = new PemReader(new MemoryStream(Encoding.UTF8.GetBytes(key)));
var publicKeyParameters = pemReader.ReadRsaKey();
return new[] { new RsaSecurityKey(publicKeyParameters) };
}
});
}
static Crypto()
{
if (!File.Exists("Private Key.pem"))
{
Console.WriteLine("No \"Private Key.pem\" file not found. Press any key to exit.");
Console.ReadKey(true);
Environment.Exit(-1);
}
using (var fs = new FileStream("Private Key.pem", FileMode.Open))
{
using (var reader = new PemReader(fs))
{
_rsaService = new RSACryptoServiceProvider();
_rsaService.ImportParameters(reader.ReadRsaKey());
}
}
}
/// <summary>
/// Importa chave de arquivos PEM
/// </summary>
/// <param name="filePath">Caminho do arquivo</param>
/// <returns>Instância de <see cref="RSACryptoServiceProvider"/></returns>
RSACryptoServiceProvider ImportFromPEM(string filePath = null)
{
if (string.IsNullOrEmpty(filePath))
{
filePath = Path.Combine(_pathBase, "key-private.pem");
}
var rsa = new RSACryptoServiceProvider();
using (var stream = File.OpenRead(filePath))
using (var reader = new PemReader(stream))
{
var rsaParameters = reader.ReadRsaKey();
rsa.ImportParameters(rsaParameters);
}
return(rsa);
}
public static RSAParameters ParamsFromPem(string filePath)
{
try
{
using (var stream = File.OpenRead(filePath))
using (var reader = new PemReader(stream))
{
var rsaParameters = reader.ReadRsaKey();
return(rsaParameters);
}
}
catch (Exception ex)
{
UiMessages.Error(ex.ToString());
}
//default
return(new RSAParameters());
}
public static RSAParameters GetPem(string pemKey)
{
RSAParameters key;
using (MemoryStream memoryStream = new MemoryStream())
{
using (StreamWriter streamWriter = new StreamWriter(memoryStream))
{
streamWriter.Write(pemKey);
streamWriter.Flush();
memoryStream.Position = 0;
using (PemReader reader = new PemReader(memoryStream))
{
key = reader.ReadRsaKey();
}
}
}
return(key);
}
//[Obsolete]
public RSA GetRSACryptoProvider(string version, bool isPulicKey)
{
var rsa = RSA.Create();
try
{
var directory = Path.Combine(_env.ContentRootPath, _configuration.GetSection("RSA:KeyLocation").Value, version, isPulicKey? @"publickey.pem": @"privatekey.pem");
using (var privateKey = File.OpenRead(directory))
{
using (var pem = new PemReader(privateKey))
{
var rsaParameters = pem.ReadRsaKey();
rsa.ImportParameters(rsaParameters);
}
}
return(rsa);
}
catch (Exception ex)
{
Console.WriteLine($"Exception in GetRSACryptoProvider(): {ex}");
return(null);
}
}
private static void ConfigureJwtBearer(IServiceCollection services, JwtBearerOptions options, Config config)
{
options.RequireHttpsMetadata = false;
options.SaveToken = false;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = config.ValidateIssuer,
ValidateIssuerSigningKey = config.ValidateIssuerSigningKey,
ValidateLifetime = config.ValidateLifetime,
ValidateActor = config.ValidateActor,
ValidateAudience = config.ValidateAudience,
ValidIssuer = config.ValidIssuer,
ValidAudiences = config.ValidAudiences,
ClockSkew = config.ClockSkew,
IssuerSigningKeyResolver = (token, secToken, kid, parameters) =>
{
var key = services.BuildServiceProvider().GetRequiredService <IKeyResolver>()
.ResolveKey(kid).Result;
var pemReader = new PemReader(new MemoryStream(System.Text.Encoding.UTF8.GetBytes(key)));
var publicKeyParameters = pemReader.ReadRsaKey();
return(new [] { new RsaSecurityKey(publicKeyParameters) });
}
};
}
public void ReadRsaKey_PublicKey_WithWindowsLineEndings()
{
var pem = "-----BEGIN PUBLIC KEY-----\r\n"
+ "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsiLoIxmXaZAFRBKtHYZh\r\n"
+ "iF8m+pYR+xGIpupvsdDEvKO92D6fIccgVLIW6p6sSNkoXx5J6KDSMbA/chy5M6pR\r\n"
+ "vJkaCXCI4zlCPMYvPhI8OxN3RYPfdQTLpgPywrlfdn2CAum7o4D8nR4NJacB3NfP\r\n"
+ "nS9tsJ2L3p5iHviuTB4xm03IKmPPqsaJy+nXUFC1XS9E/PseVHRuNvKa7WmlwSZn\r\n"
+ "gQzKAVSIwqpgCc+oP1pKEeJ0M3LHFo8ao5SuzhfXUIGrPnkUKEE3m7B0b8xXZfP1\r\n"
+ "N6ELoonWDK+RMgYIBaZdgBhPfHxF8KfTHvSzcUzWZojuR+ynaFL9AJK+8RiXnB4C\r\n"
+ "JwIDAQAB\r\n"
+ "-----END PUBLIC KEY-----\r\n";
using (var stream = new MemoryStream(Encoding.UTF8.GetBytes(pem)))
using (var reader = new PemReader(stream))
{
var key = reader.ReadRsaKey();
var modulus = Convert.FromBase64String("siLoIxmXaZAFRBKtHYZhiF8m+pYR+xGIpupvsdDEvKO92D6fIccgVLIW6p6sSNkoXx5J6KDSMbA/chy5M6pRvJkaCXCI4zlCPMYvPhI8OxN3RYPfdQTLpgPywrlfdn2CAum7o4D8nR4NJacB3NfPnS9tsJ2L3p5iHviuTB4xm03IKmPPqsaJy+nXUFC1XS9E/PseVHRuNvKa7WmlwSZngQzKAVSIwqpgCc+oP1pKEeJ0M3LHFo8ao5SuzhfXUIGrPnkUKEE3m7B0b8xXZfP1N6ELoonWDK+RMgYIBaZdgBhPfHxF8KfTHvSzcUzWZojuR+ynaFL9AJK+8RiXnB4CJw==");
Assert.That(key.Modulus, Is.EquivalentTo(modulus));
var exponent = Convert.FromBase64String("AQAB");
Assert.That(key.Exponent, Is.EquivalentTo(exponent));
}
}
public async Task <int> Run(SignOptions options, string httpMessage)
{
ISignatureAlgorithm signatureAlgorithm;
if (string.IsNullOrEmpty(options.KeyType) || options.KeyType.Equals("RSA", StringComparison.OrdinalIgnoreCase))
{
RSAParameters rsaPrivateKey;
using (var stream = File.OpenRead(options.PrivateKey)) {
using (var reader = new PemReader(stream)) {
rsaPrivateKey = reader.ReadRsaKey();
}
}
signatureAlgorithm = RSASignatureAlgorithm.CreateForSigning(HashAlgorithmName.SHA512, rsaPrivateKey);
}
else if (options.KeyType.Equals("P256", StringComparison.OrdinalIgnoreCase) || options.KeyType.Equals("ECDSA", StringComparison.OrdinalIgnoreCase))
{
ECParameters ecPrivateKey;
using (var stream = File.OpenRead(options.PrivateKey)) {
using (var reader = new StreamReader(stream)) {
var fileContents = reader.ReadToEnd();
var lines = fileContents.Split(new[] { '\n', '\r' }, StringSplitOptions.RemoveEmptyEntries);
lines = lines.Skip(1).Take(lines.Length - 2).ToArray();
var pem = string.Join("", lines);
var ecdsa = ECDsa.Create();
var derArray = Convert.FromBase64String(pem);
ecdsa.ImportPkcs8PrivateKey(derArray, out _);
ecPrivateKey = ecdsa.ExportParameters(true);
}
}
signatureAlgorithm = ECDsaSignatureAlgorithm.CreateForSigning(HashAlgorithmName.SHA512, ecPrivateKey);
}
else if (options.KeyType.Equals("HMAC", StringComparison.OrdinalIgnoreCase))
{
signatureAlgorithm = SignatureAlgorithm.CreateForSigning(options.PrivateKey, HashAlgorithmName.SHA512);
}
else
{
throw new NotSupportedException("The specified key type is not supported.");
}
if (!string.IsNullOrEmpty(options.Algorithm) &&
!options.Algorithm.StartsWith("rsa", StringComparison.OrdinalIgnoreCase) &&
!options.Algorithm.StartsWith("hmac", StringComparison.OrdinalIgnoreCase) &&
!options.Algorithm.StartsWith("ecdsa", StringComparison.OrdinalIgnoreCase))
{
signatureAlgorithm = new CustomSignatureAlgorithm(options.Algorithm);
}
var signingSettings = new SigningSettings {
SignatureAlgorithm = signatureAlgorithm,
EnableNonce = false,
DigestHashAlgorithm = HashAlgorithmName.SHA256,
AutomaticallyAddRecommendedHeaders = false,
Headers = options.Headers
?.Split(new[] { ' ', ',' }, StringSplitOptions.RemoveEmptyEntries)
.Select(h => new HeaderName(h))
.ToArray()
};
var signer = _requestSignerFactory.Create(
new KeyId("test"),
signingSettings);
var request = HttpRequestMessageParser.Parse(httpMessage);
var created = DateTimeOffset.UtcNow;
if (!string.IsNullOrEmpty(options.Created))
{
var createdUnix = int.Parse(options.Created);
created = DateTimeOffset.FromUnixTimeSeconds(createdUnix);
}
var expires = signingSettings.Expires;
if (!string.IsNullOrEmpty(options.Expires))
{
var expiresUnix = int.Parse(options.Expires);
var expiresAbsolute = DateTimeOffset.FromUnixTimeSeconds(expiresUnix);
expires = expiresAbsolute - created;
}
await signer.Sign(request, created, expires);
var httpMessageLines = new List <string>(httpMessage.Split('\n').Select(l => l.Trim()));
httpMessageLines.Insert(1, "Authorization: " + request.Headers.Authorization.Scheme + " " + request.Headers.Authorization.Parameter);
var fullMessage = string.Join('\n', httpMessageLines);
Log.Information(fullMessage);
Console.Out.Flush();
return(0);
}
public async Task <int> Run(VerifyOptions options, string httpMessage)
{
ISignatureAlgorithm signatureAlgorithmForVerification;
if (string.IsNullOrEmpty(options.KeyType) || options.KeyType.Equals("RSA", StringComparison.OrdinalIgnoreCase))
{
RSAParameters rsaPublicKey;
using (var stream = File.OpenRead(options.PublicKey)) {
using (var reader = new PemReader(stream)) {
rsaPublicKey = reader.ReadRsaKey();
}
}
signatureAlgorithmForVerification = RSASignatureAlgorithm.CreateForVerification(HashAlgorithmName.SHA512, rsaPublicKey);
}
else if (options.KeyType.Equals("P256", StringComparison.OrdinalIgnoreCase) || options.KeyType.Equals("ECDSA", StringComparison.OrdinalIgnoreCase))
{
ECParameters ecPublicKey;
using (var stream = File.OpenRead(options.PublicKey)) {
using (var reader = new StreamReader(stream)) {
var fileContents = reader.ReadToEnd();
var lines = fileContents.Split(new[] { '\n', '\r' }, StringSplitOptions.RemoveEmptyEntries);
lines = lines.Skip(1).Take(lines.Length - 2).ToArray();
var pem = string.Join("", lines);
var ecdsa = ECDsa.Create();
var derArray = Convert.FromBase64String(pem);
ecdsa.ImportSubjectPublicKeyInfo(derArray, out _);
ecPublicKey = ecdsa.ExportParameters(false);
}
}
signatureAlgorithmForVerification = ECDsaSignatureAlgorithm.CreateForVerification(HashAlgorithmName.SHA512, ecPublicKey);
}
else if (options.KeyType.Equals("HMAC", StringComparison.OrdinalIgnoreCase))
{
signatureAlgorithmForVerification = SignatureAlgorithm.CreateForVerification(options.PublicKey, HashAlgorithmName.SHA512);
}
else
{
throw new NotSupportedException("The specified key type is not supported.");
}
var serviceProvider = new ServiceCollection()
.AddHttpMessageSignatureVerification(provider => {
var clientStore = new InMemoryClientStore();
clientStore.Register(new Client(
new KeyId("test"),
"ConformanceClient",
signatureAlgorithmForVerification,
TimeSpan.FromSeconds(30),
TimeSpan.FromMinutes(1)));
return(clientStore);
})
.BuildServiceProvider();
var verifier = serviceProvider.GetRequiredService <IRequestSignatureVerifier>();
var clientRequest = HttpRequestMessageParser.Parse(httpMessage);
var requestToVerify = await clientRequest.ToServerSideHttpRequest();
var verificationResult = await verifier.VerifySignature(requestToVerify, new SignedRequestAuthenticationOptions {
OnSignatureParsed = (request, signature) => {
if (!string.IsNullOrEmpty(options.Algorithm))
{
signature.Algorithm = options.Algorithm;
}
return(Task.CompletedTask);
}
});
return(verificationResult is RequestSignatureVerificationResultSuccess
? 0
: 1);
}
