public HmacUsingSha(SignatureAlgorithmId id)
{
switch (id)
{
case SignatureAlgorithmId.HS256: _keySize = 32; break;
case SignatureAlgorithmId.HS384: _keySize = 48; break;
case SignatureAlgorithmId.HS512: _keySize = 64; break;
default: throw new ArgumentException($"Invalid identifier: {id}.");
}
_id = id;
_keyRequirement = new KeyRequirement(KeyType.Oct, KeyOperations.SignAndVerify, _keySize * 8, id.GetKeyName().ToString());
}
/// <summary>
/// Initializes a new <see cref="TrustedPartyConfiguration"/>.
/// </summary>
/// <param name="outgoingSignatureAlgorithmId">See <see cref="OutgoingSignatureAlgorithm"/>.</param>
/// <param name="allowedIncomingSignatureAlgorithms">See <see cref="AllowedIncomingSignatureAlgorithms"/>.</param>
/// <param name="minSignatureLifetime">See <see cref="MinSignatureLifetime"/>.</param>
/// <param name="maxSignatureLifetime"><see cref="MaxSignatureLifetime"/>.</param>
/// <param name="alwaysRequireIncomingExpirationTime">See <see cref="AlwaysRequireIncomingExpirationTime"/>.</param>
/// <param name="rsaKeySizeForSignature">See <see cref="RSAKeyBitLengthForSignature"/>.</param>
public TrustedPartyConfiguration(SignatureAlgorithmId outgoingSignatureAlgorithmId,
IEnumerable <SignatureAlgorithmId>?allowedIncomingSignatureAlgorithms,
TimeSpan minSignatureLifetime,
TimeSpan maxSignatureLifetime,
bool alwaysRequireIncomingExpirationTime,
int rsaKeySizeForSignature = 2048)
{
Throw.CheckArgument(Enum.IsDefined(typeof(SignatureAlgorithmId), outgoingSignatureAlgorithmId));
Throw.CheckArgument(rsaKeySizeForSignature is 2048 or 3072 or 7680 or 15360);
Throw.CheckArgument(minSignatureLifetime >= TimeSpan.FromSeconds(1));
Throw.CheckArgument(maxSignatureLifetime <= TimeSpan.FromDays(1095));
Throw.CheckArgument(minSignatureLifetime <= maxSignatureLifetime);
_rsaKaySize = rsaKeySizeForSignature;
_minSignatureLifetime = minSignatureLifetime;
_maxSignatureLifetime = maxSignatureLifetime;
_alwaysRequireIncomingExpirationTime = alwaysRequireIncomingExpirationTime;
_algCache = new ISignAlgorithm[14];
_outgoingSignAlg = CreateAndCacheSignAlgorithm(outgoingSignatureAlgorithmId);
if (allowedIncomingSignatureAlgorithms != null)
{
foreach (var s in allowedIncomingSignatureAlgorithms)
{
_allowedIncomingSignAlgorithms |= 1 << (int)s;
CreateAndCacheSignAlgorithm(s);
}
}
else
{
_allowedIncomingSignAlgorithms = 1 << (int)outgoingSignatureAlgorithmId;
}
ISignAlgorithm CreateAndCacheSignAlgorithm(SignatureAlgorithmId id)
{
var a = _algCache[(int)id];
if (a == null)
{
a = id.GetAlgorithm(_rsaKaySize);
_algCache[(int)id] = a;
}
return(a);
}
}
public RsaUsingSha(SignatureAlgorithmId id, int rsaKeySize)
{
switch (id)
{
case SignatureAlgorithmId.RS256:
_hash = HashAlgorithmName.SHA256;
_padding = RSASignaturePadding.Pkcs1;
break;
case SignatureAlgorithmId.RS384:
_hash = HashAlgorithmName.SHA384;
_padding = RSASignaturePadding.Pkcs1;
break;
case SignatureAlgorithmId.RS512:
_hash = HashAlgorithmName.SHA512;
_padding = RSASignaturePadding.Pkcs1;
break;
case SignatureAlgorithmId.PS256:
_hash = HashAlgorithmName.SHA256;
_padding = RSASignaturePadding.Pss;
break;
case SignatureAlgorithmId.PS384:
_hash = HashAlgorithmName.SHA384;
_padding = RSASignaturePadding.Pss;
break;
case SignatureAlgorithmId.PS512:
_hash = HashAlgorithmName.SHA512;
_padding = RSASignaturePadding.Pss;
break;
default: throw new ArgumentException($"Invalid identifier: {id}.");
}
_id = id;
_keyRequirement = new KeyRequirement(KeyType.Rsa, KeyOperations.SignAndVerify, rsaKeySize, id.GetKeyName().ToString());
}
public EcdsaUsingSha(SignatureAlgorithmId id)
{
ECCurve curveName;
switch (id)
{
case SignatureAlgorithmId.ES256:
curveName = ECCurve.NamedCurves.nistP256;
_hash = HashAlgorithmName.SHA256;
_signatureSize = 64;
break;
case SignatureAlgorithmId.ES256K:
// See http://oid-info.com/get/1.3.132.0.10 (secp256k1 curve).
curveName = ECCurve.CreateFromValue("1.3.132.0.10");
_hash = HashAlgorithmName.SHA256;
_signatureSize = 64;
break;
case SignatureAlgorithmId.ES384:
curveName = ECCurve.NamedCurves.nistP384;
_hash = HashAlgorithmName.SHA384;
_signatureSize = 96;
break;
case SignatureAlgorithmId.ES512:
curveName = ECCurve.NamedCurves.nistP521;
_hash = HashAlgorithmName.SHA512;
_signatureSize = 132;
break;
default: throw new ArgumentException($"SignatureAlgorithm '{id}' is not an EC algorithm.", nameof(id));
}
_id = id;
_keyRequirement = new KeyRequirement(KeyOperations.SignAndVerify, curveName.Oid, id.GetKeyName().ToString());
}
/// <summary>
/// Returns a configured algorithm for this audience and an incoming signature identifier.
/// </summary>
/// <param name="monitor">The monitor to use.</param>
/// <param name="id">The signature algorithm identifier.</param>
/// <returns>The algorithm or null if this identifier cannot be used.</returns>
public ISignAlgorithm?GetIncomingSignatureAlgorithm(IActivityMonitor monitor, SignatureAlgorithmId id)
{
var a = _configuration.GetIncomingSignatureAlgorithm(id);
if (a == null)
{
monitor.Error($"[{PartyName}]: Algorithm '{id}' is not allowed. Allowed algorithms are: {_configuration.AllowedIncomingSignatureAlgorithms.Select( a => a.ToString() ).Concatenate()}.");
}
return(a);
}
/// <summary> /// Gets the <see cref="ISignAlgorithm"/> that implements this signature. /// </summary> /// <param name="s">This signature.</param> /// <param name="rsaKeySize">The key size required when the algorithm relies in a RSA key.</param> /// <returns>The algorithm implementation.</returns> public static ISignAlgorithm GetAlgorithm(this SignatureAlgorithmId s, int rsaKeySize = 2048) => rsaKeySize == 2048 || s is 0 or >= SignatureAlgorithmId.PS512
public static JsonEncodedText GetKeyName(this SignatureAlgorithmId s)
{
Debug.Assert(Enum.GetNames(typeof(SignatureAlgorithmId)).Select(n => n.ToLowerInvariant()).SequenceEqual(_names.Select(n => n.ToString().ToLowerInvariant())));
return(_names[(int)s]);
}
/// <summary> /// Gets the numerical value that is associated to the algorithm identifiers by the different RFC. /// </summary> /// <param name="a">This algorithm.</param> /// <returns>The numeric value from the standard.</returns> static public short GetStandardValue(this SignatureAlgorithmId s) => _values[(int)s];
/// <summary>
/// Returns a configured algorithm for this audience and an incoming signature identifier.
/// </summary>
/// <param name="id">The signature algorithm identifier.</param>
/// <returns>The algorithm or null if this identifier is not allowed.</returns>
public ISignAlgorithm?GetIncomingSignatureAlgorithm(SignatureAlgorithmId id)
{
return((_allowedIncomingSignAlgorithms & (1 << (int)id)) == 0
? null
: _algCache[(int)id]);
}
