public HmacUsingSha(SignatureAlgorithmId id) { switch (id) { case SignatureAlgorithmId.HS256: _keySize = 32; break; case SignatureAlgorithmId.HS384: _keySize = 48; break; case SignatureAlgorithmId.HS512: _keySize = 64; break; default: throw new ArgumentException($"Invalid identifier: {id}."); } _id = id; _keyRequirement = new KeyRequirement(KeyType.Oct, KeyOperations.SignAndVerify, _keySize * 8, id.GetKeyName().ToString()); }
/// <summary> /// Initializes a new <see cref="TrustedPartyConfiguration"/>. /// </summary> /// <param name="outgoingSignatureAlgorithmId">See <see cref="OutgoingSignatureAlgorithm"/>.</param> /// <param name="allowedIncomingSignatureAlgorithms">See <see cref="AllowedIncomingSignatureAlgorithms"/>.</param> /// <param name="minSignatureLifetime">See <see cref="MinSignatureLifetime"/>.</param> /// <param name="maxSignatureLifetime"><see cref="MaxSignatureLifetime"/>.</param> /// <param name="alwaysRequireIncomingExpirationTime">See <see cref="AlwaysRequireIncomingExpirationTime"/>.</param> /// <param name="rsaKeySizeForSignature">See <see cref="RSAKeyBitLengthForSignature"/>.</param> public TrustedPartyConfiguration(SignatureAlgorithmId outgoingSignatureAlgorithmId, IEnumerable <SignatureAlgorithmId>?allowedIncomingSignatureAlgorithms, TimeSpan minSignatureLifetime, TimeSpan maxSignatureLifetime, bool alwaysRequireIncomingExpirationTime, int rsaKeySizeForSignature = 2048) { Throw.CheckArgument(Enum.IsDefined(typeof(SignatureAlgorithmId), outgoingSignatureAlgorithmId)); Throw.CheckArgument(rsaKeySizeForSignature is 2048 or 3072 or 7680 or 15360); Throw.CheckArgument(minSignatureLifetime >= TimeSpan.FromSeconds(1)); Throw.CheckArgument(maxSignatureLifetime <= TimeSpan.FromDays(1095)); Throw.CheckArgument(minSignatureLifetime <= maxSignatureLifetime); _rsaKaySize = rsaKeySizeForSignature; _minSignatureLifetime = minSignatureLifetime; _maxSignatureLifetime = maxSignatureLifetime; _alwaysRequireIncomingExpirationTime = alwaysRequireIncomingExpirationTime; _algCache = new ISignAlgorithm[14]; _outgoingSignAlg = CreateAndCacheSignAlgorithm(outgoingSignatureAlgorithmId); if (allowedIncomingSignatureAlgorithms != null) { foreach (var s in allowedIncomingSignatureAlgorithms) { _allowedIncomingSignAlgorithms |= 1 << (int)s; CreateAndCacheSignAlgorithm(s); } } else { _allowedIncomingSignAlgorithms = 1 << (int)outgoingSignatureAlgorithmId; } ISignAlgorithm CreateAndCacheSignAlgorithm(SignatureAlgorithmId id) { var a = _algCache[(int)id]; if (a == null) { a = id.GetAlgorithm(_rsaKaySize); _algCache[(int)id] = a; } return(a); } }
public RsaUsingSha(SignatureAlgorithmId id, int rsaKeySize) { switch (id) { case SignatureAlgorithmId.RS256: _hash = HashAlgorithmName.SHA256; _padding = RSASignaturePadding.Pkcs1; break; case SignatureAlgorithmId.RS384: _hash = HashAlgorithmName.SHA384; _padding = RSASignaturePadding.Pkcs1; break; case SignatureAlgorithmId.RS512: _hash = HashAlgorithmName.SHA512; _padding = RSASignaturePadding.Pkcs1; break; case SignatureAlgorithmId.PS256: _hash = HashAlgorithmName.SHA256; _padding = RSASignaturePadding.Pss; break; case SignatureAlgorithmId.PS384: _hash = HashAlgorithmName.SHA384; _padding = RSASignaturePadding.Pss; break; case SignatureAlgorithmId.PS512: _hash = HashAlgorithmName.SHA512; _padding = RSASignaturePadding.Pss; break; default: throw new ArgumentException($"Invalid identifier: {id}."); } _id = id; _keyRequirement = new KeyRequirement(KeyType.Rsa, KeyOperations.SignAndVerify, rsaKeySize, id.GetKeyName().ToString()); }
public EcdsaUsingSha(SignatureAlgorithmId id) { ECCurve curveName; switch (id) { case SignatureAlgorithmId.ES256: curveName = ECCurve.NamedCurves.nistP256; _hash = HashAlgorithmName.SHA256; _signatureSize = 64; break; case SignatureAlgorithmId.ES256K: // See http://oid-info.com/get/1.3.132.0.10 (secp256k1 curve). curveName = ECCurve.CreateFromValue("1.3.132.0.10"); _hash = HashAlgorithmName.SHA256; _signatureSize = 64; break; case SignatureAlgorithmId.ES384: curveName = ECCurve.NamedCurves.nistP384; _hash = HashAlgorithmName.SHA384; _signatureSize = 96; break; case SignatureAlgorithmId.ES512: curveName = ECCurve.NamedCurves.nistP521; _hash = HashAlgorithmName.SHA512; _signatureSize = 132; break; default: throw new ArgumentException($"SignatureAlgorithm '{id}' is not an EC algorithm.", nameof(id)); } _id = id; _keyRequirement = new KeyRequirement(KeyOperations.SignAndVerify, curveName.Oid, id.GetKeyName().ToString()); }
/// <summary> /// Returns a configured algorithm for this audience and an incoming signature identifier. /// </summary> /// <param name="monitor">The monitor to use.</param> /// <param name="id">The signature algorithm identifier.</param> /// <returns>The algorithm or null if this identifier cannot be used.</returns> public ISignAlgorithm?GetIncomingSignatureAlgorithm(IActivityMonitor monitor, SignatureAlgorithmId id) { var a = _configuration.GetIncomingSignatureAlgorithm(id); if (a == null) { monitor.Error($"[{PartyName}]: Algorithm '{id}' is not allowed. Allowed algorithms are: {_configuration.AllowedIncomingSignatureAlgorithms.Select( a => a.ToString() ).Concatenate()}."); } return(a); }
/// <summary> /// Gets the <see cref="ISignAlgorithm"/> that implements this signature. /// </summary> /// <param name="s">This signature.</param> /// <param name="rsaKeySize">The key size required when the algorithm relies in a RSA key.</param> /// <returns>The algorithm implementation.</returns> public static ISignAlgorithm GetAlgorithm(this SignatureAlgorithmId s, int rsaKeySize = 2048) => rsaKeySize == 2048 || s is 0 or >= SignatureAlgorithmId.PS512
public static JsonEncodedText GetKeyName(this SignatureAlgorithmId s) { Debug.Assert(Enum.GetNames(typeof(SignatureAlgorithmId)).Select(n => n.ToLowerInvariant()).SequenceEqual(_names.Select(n => n.ToString().ToLowerInvariant()))); return(_names[(int)s]); }
/// <summary> /// Gets the numerical value that is associated to the algorithm identifiers by the different RFC. /// </summary> /// <param name="a">This algorithm.</param> /// <returns>The numeric value from the standard.</returns> static public short GetStandardValue(this SignatureAlgorithmId s) => _values[(int)s];
/// <summary> /// Returns a configured algorithm for this audience and an incoming signature identifier. /// </summary> /// <param name="id">The signature algorithm identifier.</param> /// <returns>The algorithm or null if this identifier is not allowed.</returns> public ISignAlgorithm?GetIncomingSignatureAlgorithm(SignatureAlgorithmId id) { return((_allowedIncomingSignAlgorithms & (1 << (int)id)) == 0 ? null : _algCache[(int)id]); }