public override void Seed(IDbContext context)
{
var certificate = new Certificate
{
IsDefault = true,
Use = Kernel.Federation.MetaData.Configuration.Cryptography.KeyUsage.Signing,
CetrificateStore = "TestCertStore",
StoreLocation = StoreLocation.LocalMachine
};
var storeCriterion = new StoreSearchCriterion
{
SearchCriteriaType = System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectName,
SearchCriteria = "ApiraTestCertificate",
};
var signingCritencials = new SigningCredential
{
DigestAlgorithm = SecurityAlgorithms.Sha1Digest,
SignatureAlgorithm = SecurityAlgorithms.RsaSha1Signature,
};
certificate.SigningCredentials.Add(signingCritencials);
signingCritencials.Certificates.Add(certificate);
certificate.StoreSearchCriteria.Add(storeCriterion);
context.Add <Certificate>(certificate);
Seeder._cache.Add(Seeder.CertificatesKey, new[] { certificate });
}
/// <summary>
/// Add Signing credential by file
/// </summary>
/// <param name="builder">IIdentityServerBuilder</param>
/// <param name="appSettings">AppSettings</param>
/// <returns>IIdentityServerBuilder</returns>
public static IIdentityServerBuilder AddSigningCredentialsByFile(
this IIdentityServerBuilder builder, AppSettings appSettings)
{
// Variables
const int DEFAULT_EXPIRY_YEAR = 1;
const string DIR_NAME_KEYS = "Keys";
const string FILE_NAME_WORKING_SC = "SigningCredential.rsa";
const string FILE_NAME_DEPRECATED_SC = "DeprecatedSigningCredentials.rsa";
var rootDir = Path.Combine(AppContext.BaseDirectory, DIR_NAME_KEYS);
var workingScDir = Path.Combine(rootDir, FILE_NAME_WORKING_SC);
var deprecatedScDir = Path.Combine(rootDir, FILE_NAME_DEPRECATED_SC);
var utcNow = DateTimeOffset.UtcNow;
// RSA key object
Microsoft.IdentityModel.Tokens.RsaSecurityKey key = null; // The Key for Idsrv
// Signing credetial object
SigningCredential credential = null; // The Signing credential stored in file
List <SigningCredential> deprecatedCredentials = null; // The Deprecated Signing credentials stored in file
#region Add exist or new Signing Credentials
var strWorkingSc = FileUtils.ReadFileAsync(workingScDir).Result;
var strDeprecatedScs = FileUtils.ReadFileAsync(deprecatedScDir).Result;
if (!string.IsNullOrEmpty(strWorkingSc))
{
// Use the RSA key pair stored in file
credential = JsonConvert.DeserializeObject <SigningCredential>(strWorkingSc);
key = CryptoHelper.CreateRsaSecurityKey(credential.Parameters, credential.KeyId);
// Warning if key expires
if (credential.ExpireOn < utcNow)
{
logger.Warn($"Auth Server's Signing Credential (ID: {credential.KeyId}) is expired at {credential.ExpireOn.ToLocalTime()}!");
}
}
else
{
// Create new RSA key pair
key = CryptoHelper.CreateRsaSecurityKey();
RSAParameters parameters = key.Rsa == null ?
parameters = key.Parameters :
key.Rsa.ExportParameters(includePrivateParameters: true);
var expireOn = appSettings.Global?.SigningCredential?.DefaultExpiry == null?
utcNow.AddYears(DEFAULT_EXPIRY_YEAR) :
appSettings.Global.SigningCredential.DefaultExpiry.GetExpireOn();
credential = new SigningCredential
{
Parameters = parameters,
KeyId = key.KeyId,
ExpireOn = expireOn
};
// Save to fiile
FileUtils.SaveFileAsync(workingScDir, JsonConvert.SerializeObject(credential)).Wait();
}
// Add the key as the Signing credential for Idsrv
builder.AddSigningCredential(key, IdentityServerConstants.RsaSigningAlgorithm.RS256);
#endregion
#region Add Deprecated Signing Credentials for clients' old tokens
deprecatedCredentials = string.IsNullOrEmpty(strDeprecatedScs) ? new List <SigningCredential>() : JsonConvert.DeserializeObject <List <SigningCredential> >(strDeprecatedScs);
IList <SecurityKeyInfo> deprecatedKeyInfos = new List <SecurityKeyInfo>();
deprecatedCredentials.ForEach(dc =>
{
var deprecatedKeyInfo = new SecurityKeyInfo
{
Key = CryptoHelper.CreateRsaSecurityKey(dc.Parameters, dc.KeyId),
SigningAlgorithm = SecurityAlgorithms.RsaSha256
};
deprecatedKeyInfos.Add(deprecatedKeyInfo);
// builder.AddValidationKey(deprecatedKey, IdentityServerConstants.RsaSigningAlgorithm.RS256));
});
builder.AddValidationKey(deprecatedKeyInfos.ToArray());
#endregion
return(builder);
}
/// <summary>
/// Add Signing credential by Redis
/// </summary>
/// <param name="builder">IIdentityServerBuilder</param>
/// <param name="appSettings">AppSettings</param>
/// <returns>IIdentityServerBuilder</returns>
public static IIdentityServerBuilder AddSigningCredentialByRedis(
this IIdentityServerBuilder builder, AppSettings appSettings)
{
// Variables
const int DEFAULT_EXPIRY_YEAR = 1;
var utcNow = DateTimeOffset.UtcNow;
var redisKeyWorkingSk = CacheKeyFactory.SigningCredential();
var redisKeyDeprecatedSk = CacheKeyFactory.SigningCredential(isDeprecated: true);
// RSA key object
Microsoft.IdentityModel.Tokens.RsaSecurityKey key = null; // The Key for Idsrv
// Signing credetial object from Redis
SigningCredential credential = null; // The Signing credential stored in Redis
List <SigningCredential> deprecatedCredentials = null; // The Deprecated Signing credentials stored in Redis
using (ICacheService redis = new RedisService(appSettings))
{
bool isSigningCredentialExists = redis.GetCache(redisKeyWorkingSk, out credential);
if (isSigningCredentialExists && credential.ExpireOn >= utcNow)
{
// Use the RSA key pair stored in redis
key = CryptoHelper.CreateRsaSecurityKey(credential.Parameters, credential.KeyId);
}
else if (isSigningCredentialExists && credential.ExpireOn < utcNow)
{
#region Move the expired Signing credential to Redis's Decprecated-Signing-Credential key
_ = redis.GetCache(redisKeyDeprecatedSk, out deprecatedCredentials);
if (deprecatedCredentials == null)
{
deprecatedCredentials = new List <SigningCredential>();
}
deprecatedCredentials.Add(credential);
redis.SaveCache(redisKeyDeprecatedSk, deprecatedCredentials);
#endregion
#region Clear the expired Signing credential from Redis's Signing-Credential key
redis.ClearCache(redisKeyWorkingSk);
#endregion
// Set flag as False
isSigningCredentialExists = false;
}
#region If no available Signing credial, create a new one
if (!isSigningCredentialExists)
{
key = CryptoHelper.CreateRsaSecurityKey();
RSAParameters parameters = key.Rsa == null ?
parameters = key.Parameters :
key.Rsa.ExportParameters(includePrivateParameters: true);
var expireOn = appSettings.Global?.SigningCredential?.DefaultExpiry == null?
utcNow.AddYears(DEFAULT_EXPIRY_YEAR) :
appSettings.Global.SigningCredential.DefaultExpiry.GetExpireOn();
credential = new SigningCredential
{
Parameters = parameters,
KeyId = key.KeyId,
ExpireOn = expireOn
};
// Save to Redis
redis.SaveCache(redisKeyWorkingSk, credential);
}
#endregion
// Add the key as the Signing credential for Idsrv
builder.AddSigningCredential(key, IdentityServerConstants.RsaSigningAlgorithm.RS256);
// Also add the expired key for clients' old tokens
if (redis.GetCache(redisKeyDeprecatedSk, out deprecatedCredentials))
{
IList <SecurityKeyInfo> deprecatedKeyInfos = new List <SecurityKeyInfo>();
deprecatedCredentials.ForEach(dc =>
{
var deprecatedKeyInfo = new SecurityKeyInfo
{
Key = CryptoHelper.CreateRsaSecurityKey(dc.Parameters, dc.KeyId),
SigningAlgorithm = SecurityAlgorithms.RsaSha256
};
deprecatedKeyInfos.Add(deprecatedKeyInfo);
// builder.AddValidationKey(deprecatedKey, IdentityServerConstants.RsaSigningAlgorithm.RS256));
});
builder.AddValidationKey(deprecatedKeyInfos.ToArray());
}
}
return(builder);
}
