public void Compatible(EncryptionAlgorithm enc, KeyManagementAlgorithm alg) { var writer = new JwtWriter(); foreach (var encryptionKey in SelectEncryptionKey(enc.Name.ToString(), alg.Name.ToString())) { var descriptor = new JweDescriptor(encryptionKey, alg, enc) { Payload = new JwsDescriptor(_signingKey, SignatureAlgorithm.HS256) { Payload = new JwtPayload { { "sub", "Alice" } } } }; var token = writer.WriteToken(descriptor); var policy = new TokenValidationPolicyBuilder() .RequireSignatureByDefault(_signingKey) .WithDecryptionKeys(_keys.Jwks) .Build(); var result = Jwt.TryParse(token, policy, out var jwt); Assert.True(result); Assert.True(jwt.Payload.TryGetClaim("sub", out var sub)); Assert.Equal("Alice", sub.GetString()); jwt.Dispose(); } }
public void Encode_Decode(EncryptionAlgorithm enc, KeyManagementAlgorithm alg) { var writer = new JwtWriter(); var descriptor = new JweDescriptor(_publicRsa2048Key, alg, enc) { Payload = new JwsDescriptor(_signingKey, SignatureAlgorithm.HS256) { Payload = new JwtPayload { { "sub", "Alice" } } } }; var token = writer.WriteToken(descriptor); var policy = new TokenValidationPolicyBuilder() .RequireSignatureByDefault(_signingKey) .WithDecryptionKey(_privateRsa2048Key) .Build(); var result = Jwt.TryParse(token, policy, out var jwt); Assert.True(result); Assert.True(jwt.Payload.TryGetClaim("sub", out var sub)); Assert.Equal("Alice", sub.GetString()); jwt.Dispose(); }
public JweWrapper(byte[] token, KeyManagementAlgorithm keyManagementAlgorithm, EncryptionAlgorithm encryptionAlgorithm, TokenValidationPolicy policy) { _token = token; _keyManagementAlgorithm = keyManagementAlgorithm; _encryptionAlgorithm = encryptionAlgorithm; Policy = policy; }
public void Encode_Decode(EncryptionAlgorithm enc, KeyManagementAlgorithm alg) { var writer = new JwtWriter(); var encryptionKey = SelectKey(enc.Name, alg.Name); var descriptor = new JweDescriptor { EncryptionKey = encryptionKey, EncryptionAlgorithm = enc, Algorithm = alg, Payload = new JwsDescriptor { SigningKey = _signingKey, Algorithm = SignatureAlgorithm.HmacSha256, Subject = "Alice" } }; var token = writer.WriteToken(descriptor); var reader = new JwtReader(encryptionKey); var policy = new TokenValidationPolicyBuilder() .RequireSignature(_signingKey) .Build(); var result = reader.TryReadToken(token, policy); Assert.Equal(TokenValidationStatus.Success, result.Status); Assert.Equal("Alice", result.Token.Subject); }
public void TryWrapKey_WithStaticKey_Success(EncryptionAlgorithm enc, KeyManagementAlgorithm alg) { var contentEncryptionKey = SymmetricJwk.GenerateKey(enc.RequiredKeySizeInBits); Jwk cek = TryWrapKey_Success(contentEncryptionKey, enc, alg); Assert.Equal(contentEncryptionKey, cek); }
public RsaKeyWrapper(RsaJwk key, EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm algorithm) : base(encryptionAlgorithm, algorithm) { Debug.Assert(key.SupportKeyManagement(algorithm)); Debug.Assert(algorithm.Category == AlgorithmCategory.Rsa); _key = key; #if SUPPORT_SPAN_CRYPTO _rsa = RSA.Create(key.ExportParameters()); #else #if NET461 || NET47 _rsa = new RSACng(); #else _rsa = RSA.Create(); #endif _rsa.ImportParameters(key.ExportParameters()); #endif _padding = algorithm.Id switch { AlgorithmId.RsaOaep => RSAEncryptionPadding.OaepSHA1, AlgorithmId.Rsa1_5 => RSAEncryptionPadding.Pkcs1, AlgorithmId.RsaOaep256 => RSAEncryptionPadding.OaepSHA256, AlgorithmId.RsaOaep384 => RSAEncryptionPadding.OaepSHA384, AlgorithmId.RsaOaep512 => RSAEncryptionPadding.OaepSHA512, _ => throw ThrowHelper.CreateNotSupportedException_AlgorithmForKeyWrap(algorithm) }; }
private static JweDescriptorWrapper CreateDescriptor(KeyManagementAlgorithm algorithm, EncryptionAlgorithm encryptionAlgorithm) { var jwk = algorithm.Category switch { Cryptography.AlgorithmCategory.None => Jwk.None, Cryptography.AlgorithmCategory.EllipticCurve => ECJwk.GeneratePrivateKey(EllipticalCurve.P256, algorithm), Cryptography.AlgorithmCategory.Rsa => RsaJwk.GeneratePrivateKey(4096, algorithm), Cryptography.AlgorithmCategory.Aes => SymmetricJwk.GenerateKey(algorithm), Cryptography.AlgorithmCategory.AesGcm => SymmetricJwk.GenerateKey(algorithm), Cryptography.AlgorithmCategory.Hmac => SymmetricJwk.GenerateKey(algorithm), Cryptography.AlgorithmCategory.Direct => SymmetricJwk.GenerateKey(encryptionAlgorithm), Cryptography.AlgorithmCategory.Direct | Cryptography.AlgorithmCategory.EllipticCurve => ECJwk.GeneratePrivateKey(EllipticalCurve.P256), _ => throw new InvalidOperationException(algorithm.Category.ToString()) }; var descriptor = new JweDescriptor(jwk, algorithm, encryptionAlgorithm) { Payload = new JwsDescriptor(Jwk.None, SignatureAlgorithm.None) { Payload = new JwtPayload { { JwtClaimNames.Iat, EpochTime.UtcNow }, { JwtClaimNames.Exp, EpochTime.UtcNow + EpochTime.OneHour }, { JwtClaimNames.Iss, "https://idp.example.com/" }, { JwtClaimNames.Aud, "636C69656E745F6964" } } } }; return(new JweDescriptorWrapper(descriptor)); }
protected override SymmetricJwk GenerateKey(IConsole console) { SymmetricJwk key; var stopwatch = new Stopwatch(); if (_keyLength != 0) { console.Verbose($@"Generating 'oct' JWK of {_keyLength} bits..."); stopwatch.Start(); key = SymmetricJwk.GenerateKey(_keyLength, computeThumbprint: !_noKid); } else if (SignatureAlgorithm.TryParse(_alg, out var signatureAlgorithm)) { console.Verbose($@"Generating 'oct' JWK of {signatureAlgorithm.RequiredKeySizeInBits} bits for algorithm {signatureAlgorithm}..."); stopwatch.Start(); key = SymmetricJwk.GenerateKey(signatureAlgorithm, computeThumbprint: !_noKid); } else if (KeyManagementAlgorithm.TryParse(_alg, out var keyManagementAlgorithm)) { console.Verbose($@"Generating 'oct' JWK of {keyManagementAlgorithm.RequiredKeySizeInBits} bits for algorithm {signatureAlgorithm}..."); stopwatch.Start(); key = SymmetricJwk.GenerateKey(keyManagementAlgorithm, computeThumbprint: !_noKid); } else { throw new InvalidOperationException("Unable to found the way to generate the key. Please specify a valid key length or a valid algorithm."); } console.Verbose($"JWK generated in {stopwatch.ElapsedMilliseconds} ms."); if (_kid != null) { console.Verbose($"kid: {_kid}"); key.Kid = JsonEncodedText.Encode(_kid); } else if (!_noKid) { console.Verbose($"kid: {key.Kid}"); } if (_use != null) { console.Verbose($"use: {_use}"); key.Use = JsonEncodedText.Encode(_use); } if (_keyOps != null && _keyOps.Count != 0) { console.Verbose($"key_ops: {string.Join(", ", _keyOps)}"); foreach (var keyOps in _keyOps) { if (keyOps != null) { key.KeyOps.Add(JsonEncodedText.Encode(keyOps)); } } } return(key); }
public void TryWrapKey_WithStaticKey_Success(EncryptionAlgorithm enc, KeyManagementAlgorithm alg) { var contentEncryptionKey = ECJwk.GeneratePrivateKey(EllipticalCurve.P256); Jwk cek = TryWrapKey_Success(contentEncryptionKey, enc, alg); Assert.NotNull(cek); Assert.IsType <SymmetricJwk>(cek); }
/// <summary>Initializes a new instance of the <see cref="KeyWrapper"/> class.</summary> protected KeyWrapper(EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm algorithm) { Debug.Assert(algorithm != null); Debug.Assert(encryptionAlgorithm != null); Algorithm = algorithm; EncryptionAlgorithm = encryptionAlgorithm; }
/// <summary> /// Initializes a new instance of the <see cref="AsymmetricJwk"/> class. /// </summary> protected AsymmetricJwk(string d, KeyManagementAlgorithm alg) : base(alg) { if (d is null) { ThrowHelper.ThrowArgumentNullException(ExceptionArgument.d); } D = Base64Url.Decode(d); }
/// <summary> /// Initializes a new instance of the <see cref="AsymmetricJwk"/> class. /// </summary> protected AsymmetricJwk(byte[] d, KeyManagementAlgorithm alg) : base(alg) { if (d is null) { ThrowHelper.ThrowArgumentNullException(ExceptionArgument.d); } D = d; }
private Jwk TryWrapKey_Success(ECJwk keyToWrap, EncryptionAlgorithm enc, KeyManagementAlgorithm alg) { var keyEncryptionKey = ECJwk.GeneratePrivateKey(EllipticalCurve.P256); var wrapper = new EcdhKeyWrapper(keyEncryptionKey, enc, alg); var cek = WrapKey(wrapper, keyToWrap, out var header); Assert.Equal(1, header.Count); Assert.True(header.ContainsKey("epk")); return(cek); }
public void TryWrapKey_WithoutStaticKey_Success(EncryptionAlgorithm enc, KeyManagementAlgorithm alg) { if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) { return; } Jwk cek = TryWrapKey_Success(null, enc, alg); Assert.NotNull(cek); }
public void TryWrapKey_WithStaticKey_Success(EncryptionAlgorithm enc, KeyManagementAlgorithm alg) { if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) { return; } var contentEncryptionKey = SymmetricJwk.GenerateKey(enc.RequiredKeySizeInBits); Jwk cek = TryWrapKey_Success(contentEncryptionKey, enc, alg); Assert.Equal(contentEncryptionKey, cek); }
internal Pbes2KeyUnwrapper(PasswordBasedJwk key, EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm algorithm) : base(encryptionAlgorithm, algorithm) { Debug.Assert(key.SupportKeyManagement(algorithm)); Debug.Assert(algorithm.Category == AlgorithmCategory.Pbkdf2); Debug.Assert(algorithm.WrappedAlgorithm != null); Debug.Assert(algorithm.HashAlgorithm != null); _algorithm = algorithm.Name; _keySizeInBytes = algorithm.WrappedAlgorithm.RequiredKeySizeInBits >> 3; _algorithmNameLength = _algorithm.EncodedUtf8Bytes.Length; _hashAlgorithm = algorithm.HashAlgorithm; _keyManagementAlgorithm = algorithm.WrappedAlgorithm; _password = key.ToArray(); }
public EcdhKeyWrapper(ECJwk key, EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm contentEncryptionAlgorithm) : base(key, encryptionAlgorithm, contentEncryptionAlgorithm) { if (contentEncryptionAlgorithm.WrappedAlgorithm is null) { _algorithmName = encryptionAlgorithm.Utf8Name; _keySizeInBytes = encryptionAlgorithm.RequiredKeySizeInBytes; } else { _algorithmName = contentEncryptionAlgorithm.Utf8Name; _keySizeInBytes = contentEncryptionAlgorithm.WrappedAlgorithm.RequiredKeySizeInBits >> 3; } _algorithmNameLength = _algorithmName.Length; _hashAlgorithm = GetHashAlgorithm(encryptionAlgorithm); }
public RsaKeyUnwrapper(RsaJwk key, EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm algorithm) : base(encryptionAlgorithm, algorithm) { Debug.Assert(key.SupportKeyManagement(algorithm)); Debug.Assert(algorithm.Category == AlgorithmCategory.Rsa); #if SUPPORT_SPAN_CRYPTO _rsa = RSA.Create(key.ExportParameters()); #else #if NET461 || NET47 _rsa = new RSACng(); #else _rsa = RSA.Create(); #endif _rsa.ImportParameters(key.ExportParameters()); #endif _padding = RsaHelper.GetEncryptionPadding(algorithm.Id); }
public Pbes2KeyWrapper(PasswordBasedJwk key, EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm algorithm, uint iterationCount, uint saltSizeInBytes, ISaltGenerator saltGenerator) : base(encryptionAlgorithm, algorithm) { Debug.Assert(key.SupportKeyManagement(algorithm)); Debug.Assert(algorithm.Category == AlgorithmCategory.Pbkdf2); Debug.Assert(algorithm.WrappedAlgorithm != null); Debug.Assert(algorithm.HashAlgorithm != null); _algorithm = algorithm.Name; _keySizeInBytes = algorithm.WrappedAlgorithm.RequiredKeySizeInBits >> 3; _algorithmNameLength = _algorithm.EncodedUtf8Bytes.Length; _hashAlgorithm = algorithm.HashAlgorithm; _keyManagementAlgorithm = algorithm.WrappedAlgorithm; _password = key.ToArray(); _iterationCount = iterationCount; _saltSizeInBytes = (int)saltSizeInBytes; _saltGenerator = saltGenerator; }
public EcdhKeyWrapper(ECJwk key, EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm algorithm) : base(encryptionAlgorithm, algorithm) { Debug.Assert(key.SupportKeyManagement(algorithm)); Debug.Assert(algorithm.Category == AlgorithmCategory.EllipticCurve); _key = key; if (algorithm.WrappedAlgorithm is null) { _algorithm = encryptionAlgorithm.Name; _keySizeInBytes = encryptionAlgorithm.RequiredKeySizeInBytes; } else { _algorithm = algorithm.Name; _keySizeInBytes = algorithm.WrappedAlgorithm.RequiredKeySizeInBits >> 3; _keyManagementAlgorithm = algorithm.WrappedAlgorithm; } _algorithmNameLength = _algorithm.EncodedUtf8Bytes.Length; _hashAlgorithm = GetHashAlgorithm(encryptionAlgorithm); }
public RsaKeyUnwrapper(RsaJwk key, EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm contentEncryptionAlgorithm) : base(key, encryptionAlgorithm, contentEncryptionAlgorithm) { #if SUPPORT_SPAN_CRYPTO _rsa = RSA.Create(key.ExportParameters()); #else _rsa = RSA.Create(); _rsa.ImportParameters(key.ExportParameters()); #endif if (contentEncryptionAlgorithm == KeyManagementAlgorithm.RsaOaep) { _padding = RSAEncryptionPadding.OaepSHA1; } else if (contentEncryptionAlgorithm == KeyManagementAlgorithm.RsaPkcs1) { _padding = RSAEncryptionPadding.Pkcs1; } else if (contentEncryptionAlgorithm == KeyManagementAlgorithm.RsaOaep256) { _padding = RSAEncryptionPadding.OaepSHA256; } else if (contentEncryptionAlgorithm == KeyManagementAlgorithm.RsaOaep384) { _padding = RSAEncryptionPadding.OaepSHA384; } else if (contentEncryptionAlgorithm == KeyManagementAlgorithm.RsaOaep512) { _padding = RSAEncryptionPadding.OaepSHA512; } else { ThrowHelper.ThrowNotSupportedException_AlgorithmForKeyWrap(contentEncryptionAlgorithm); _padding = RSAEncryptionPadding.CreateOaep(new HashAlgorithmName()); // will never occur } }
public AesGcmKeyUnwrapper(SymmetricJwk key, EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm algorithm) : base(key, encryptionAlgorithm, algorithm) { ThrowHelper.ThrowNotSupportedException_AlgorithmForKeyWrap(algorithm); }
public AesKeyUnwrapper(SymmetricJwk key, EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm algorithm) : base(key, encryptionAlgorithm, algorithm) { if (algorithm.Category != AlgorithmCategory.Aes) { ThrowHelper.ThrowNotSupportedException_AlgorithmForKeyWrap(algorithm); } #if !NETSTANDARD2_0 && !NET461 && !NETCOREAPP2_1 if (algorithm == KeyManagementAlgorithm.Aes128KW) { _decryptor = new Aes128NiCbcDecryptor(key.K); } else if (algorithm == KeyManagementAlgorithm.Aes256KW) { _decryptor = new Aes256NiCbcDecryptor(key.K); } else if (algorithm == KeyManagementAlgorithm.Aes192KW) { _decryptor = new Aes192NiCbcDecryptor(key.K); } else { ThrowHelper.ThrowNotSupportedException_AlgorithmForKeyWrap(algorithm); _decryptor = new Aes128NiCbcDecryptor(default);
/// <summary>Initializes a new instance of the <see cref="JweDescriptor"/> class.</summary> public JweDescriptor(Jwk encryptionKey, KeyManagementAlgorithm alg, EncryptionAlgorithm enc, CompressionAlgorithm?zip = null, string?typ = null, string?cty = Constants.Jwt) : base(encryptionKey, alg, enc, zip, typ, cty) { }
public virtual void IsSupportedKeyWrapping_Success(Jwk key, EncryptionAlgorithm enc, KeyManagementAlgorithm alg) { Assert.True(key.SupportKeyManagement(alg)); }
public virtual KeyWrapper CreateKeyWrapper_Failed(Jwk key, EncryptionAlgorithm enc, KeyManagementAlgorithm alg) { bool created = key.TryGetKeyWrapper(enc, alg, out var keyWrapper); _disposables.Add(keyWrapper); Assert.False(created); Assert.Null(keyWrapper); return(keyWrapper); }
public override void IsSupportedKeyWrapping_Success(Jwk key, EncryptionAlgorithm enc, KeyManagementAlgorithm alg) { base.IsSupportedKeyWrapping_Success(key, enc, alg); }
public EncryptedIdTokenDescriptor(Jwk encryptionKey, KeyManagementAlgorithm alg, EncryptionAlgorithm enc, CompressionAlgorithm?zip = null, string?typ = null, string?cty = null) : base(encryptionKey, alg, enc, zip, typ, cty) { }
public AesKeyWrapper(SymmetricJwk key, EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm algorithm) : base(key, encryptionAlgorithm, algorithm) { #if SUPPORT_SIMD if (algorithm == KeyManagementAlgorithm.Aes128KW) { _encryptor = new Aes128NiCbcEncryptor(key.K); } else if (algorithm == KeyManagementAlgorithm.Aes256KW) { _encryptor = new Aes256NiCbcEncryptor(key.K); } else if (algorithm == KeyManagementAlgorithm.Aes192KW) { _encryptor = new Aes192NiCbcEncryptor(key.K); } else { ThrowHelper.ThrowNotSupportedException_AlgorithmForKeyWrap(algorithm); _encryptor = new Aes128NiCbcEncryptor(default);
public override KeyWrapper CreateKeyWrapper_Succeed(Jwk key, EncryptionAlgorithm enc, KeyManagementAlgorithm alg) { return(base.CreateKeyWrapper_Succeed(key, enc, alg)); }