Exemple #1
0
 /// <summary>
 /// Decodes JWT token by performing necessary decompression/decryption and signature verification as defined in JWT token header.
 /// Resulting json string will be parsed and mapped to desired type via configured IJsonMapper implementation.
 /// </summary>
 /// <typeparam name="T">Deserid object type after json mapping</typeparam>
 /// <param name="token">JWT token in compact serialization form.</param>
 /// <param name="key">key for decoding suitable for JWT algorithm used, can be null.</param>
 /// <param name="settings">optional settings to override global DefaultSettings</param>
 /// <returns>object of provided T, result of decoded json mapping</returns>
 /// <exception cref="IntegrityException">if signature validation failed</exception>
 /// <exception cref="EncryptionException">if JWT token can't be decrypted</exception>
 /// <exception cref="InvalidAlgorithmException">if JWT signature, encryption or compression algorithm is not supported</exception>
 public static T Decode <T>(string token, object key = null, JwtSettings settings = null)
 {
     return(GetSettings(settings).JsonMapper.Parse <T>(Decode(token, key, settings)));
 }
Exemple #2
0
        private static byte[] DecodeBytes(string token, object key = null, JwsAlgorithm?expectedJwsAlg = null, JweAlgorithm?expectedJweAlg = null, JweEncryption?expectedJweEnc = null, JwtSettings settings = null, byte[] payload = null)
        {
            Ensure.IsNotEmpty(token, "Incoming token expected to be in compact serialization form, not empty, whitespace or null.");

            var parts = Compact.Iterate(token);

            if (parts.Count == 5) //encrypted JWT
            {
                return(DecryptBytes(parts, key, expectedJweAlg, expectedJweEnc, settings));
            }
            else
            {
                //signed or plain JWT
                var jwtSettings = GetSettings(settings);

                byte[] header = parts.Next();

                var headerData = jwtSettings.JsonMapper.Parse <Dictionary <string, object> >(Encoding.UTF8.GetString(header));

                bool b64 = true;

                object value;
                if (headerData.TryGetValue("b64", out value))
                {
                    b64 = (bool)value;
                }

                byte[] contentPayload = parts.Next(b64);
                byte[] signature      = parts.Next();

                var effectivePayload = payload ?? contentPayload;

                var algorithm    = (string)headerData["alg"];
                var jwsAlgorithm = jwtSettings.JwsAlgorithmFromHeader(algorithm);
                if (expectedJwsAlg != null && expectedJwsAlg != jwsAlgorithm)
                {
                    throw new InvalidAlgorithmException(
                              "The algorithm type passed to the Decode method did not match the algorithm type in the header.");
                }

                var jwsAlgorithmImpl = jwtSettings.Jws(jwsAlgorithm);

                if (jwsAlgorithmImpl == null)
                {
                    throw new JoseException(string.Format("Unsupported JWS algorithm requested: {0}", algorithm));
                }

                if (!jwsAlgorithmImpl.Verify(signature, securedInput(header, effectivePayload, b64), key))
                {
                    throw new IntegrityException("Invalid signature.");
                }

                return(effectivePayload);
            }
        }
Exemple #3
0
        /// <summary>
        /// Parses JWT token, extracts and attempts to unmarshal headers to requested type
        /// This method is NOT performing integrity checking.
        /// </summary>
        /// <param name="token">signed JWT token</param>
        /// <param name="settings">optional settings to override global DefaultSettings</param>
        /// <typeparam name="T">desired type after unmarshalling</typeparam>
        /// <returns>unmarshalled headers</returns>
        public static T Headers <T>(string token, JwtSettings settings = null)
        {
            var parts = Compact.Iterate(token);

            return(GetSettings(settings).JsonMapper.Parse <T>(Encoding.UTF8.GetString(parts.Next())));
        }
Exemple #4
0
 /// <summary>
 /// Decodes JWT token by performing necessary decompression/decryption and signature verification as defined in JWT token header.
 /// Resulting json string will be parsed and mapped to desired type via configured IJsonMapper implementation.
 /// </summary>
 /// <typeparam name="T">Deserid object type after json mapping</typeparam>
 /// <param name="token">JWT token in compact serialization form.</param>
 /// <param name="key">key for decoding suitable for JWT algorithm used.</param>
 /// <param name="alg">The algorithm type that we expect to receive in the header.</param>
 /// <param name="enc">The encryption type that we expect to receive in the header.</param>
 /// <param name="settings">optional settings to override global DefaultSettings</param>
 /// <returns>object of provided T, result of decoded json mapping</returns>
 /// <exception cref="IntegrityException">if signature validation failed</exception>
 /// <exception cref="EncryptionException">if JWT token can't be decrypted</exception>
 /// <exception cref="InvalidAlgorithmException">if JWT signature, encryption or compression algorithm is not supported</exception>
 public static T Decode <T>(string token, object key, JweAlgorithm alg, JweEncryption enc, JwtSettings settings = null)
 {
     return(GetSettings(settings).JsonMapper.Parse <T>(Decode(token, key, alg, enc, settings)));
 }
Exemple #5
0
        /// <summary>
        /// Decypts a JWE by performing necessary decompression/decryption and authenticated decryption as defined in RFC7516.
        /// </summary>
        /// <param name="jwe">JWE to decrypt.</param>
        /// <param name="key">key for decoding suitable for JWE algorithm used to encrypt the CEK.</param>
        /// <param name="expectedJweAlg">The algorithm type that we expect to receive in the header.</param>
        /// <param name="expectedJweEnc">The encryption type that we expect to receive in the header.</param>
        /// <param name="settings">optional settings to override global DefaultSettings</param>
        /// <returns>Decrypted JweToken object</returns>
        /// <exception cref="IntegrityException">if AEAD operation validation failed</exception>
        /// <exception cref="EncryptionException">if JWE can't be decrypted</exception>
        /// <exception cref="InvalidAlgorithmException">if encryption or compression algorithm is not supported</exception>
        public static JweToken Decrypt(string jwe, object key, JweAlgorithm?expectedJweAlg = null, JweEncryption?expectedJweEnc = null, JwtSettings settings = null)
        {
            Ensure.IsNotEmpty(jwe, "Incoming jwe expected to be in a valid serialization form, not empty, whitespace or null.");

            settings = GetSettings(settings);

            JweToken token = Headers(jwe);

            if (token.ProtectedHeaderBytes == null && token.Encoding == SerializationMode.Compact)
            {
                throw new JoseException(string.Format("Protected header was missing but required with compact encoding."));
            }

            var exceptions = new List <Exception>();

            foreach (var recipient in token.Recipients)
            {
                var headerAlg    = settings.JwaAlgorithmFromHeader((string)recipient.JoseHeader["alg"]);
                var encryptedCek = recipient.EncryptedCek;

                // skip recipient if asked to do strict validation
                if (expectedJweAlg != null && expectedJweAlg != headerAlg)
                {
                    continue;
                }

                IKeyManagement keys = settings.Jwa(headerAlg);

                if (keys == null)
                {
                    throw new JoseException(string.Format("Unsupported JWA algorithm requested: {0}", headerAlg));
                }

                try
                {
                    JweEncryption headerEnc = settings.JweAlgorithmFromHeader((string)recipient.JoseHeader["enc"]);
                    IJweAlgorithm enc       = settings.Jwe(headerEnc);

                    if (enc == null)
                    {
                        throw new JoseException(string.Format("Unsupported JWE algorithm requested: {0}", headerEnc));
                    }

                    if (expectedJweEnc != null && expectedJweEnc != headerEnc)
                    {
                        throw new InvalidAlgorithmException("The encryption type passed to the Decrypt method did not match the encryption type in the header.");
                    }

                    byte[] cek       = keys.Unwrap(recipient.EncryptedCek, key, enc.KeySize, recipient.JoseHeader);
                    byte[] plaintext = enc.Decrypt(Aad(token.ProtectedHeaderBytes, token.Aad), cek, token.Iv, token.Ciphertext, token.AuthTag);

                    if (recipient.JoseHeader.TryGetValue("zip", out var compressionAlg))
                    {
                        var compression = settings.Compression((string)compressionAlg);

                        plaintext = compression.Decompress(plaintext);
                    }

                    token.PlaintextBytes = plaintext;
                    token.Recipient      = recipient;

                    return(token);
                }
                catch (ArgumentException ex)
                {
                    exceptions.Add(ex);
                }
                catch (JoseException ex)
                {
                    exceptions.Add(ex);
                }
            }

            // nobody was eligable for decryption
            if (exceptions.Count == 0)
            {
                throw new InvalidAlgorithmException("The algorithm type passed to the Decrypt method did not match the algorithm type in the header.");
            }

            // decryption failed
            if (exceptions.Select(e => new KeyValuePair <Type, String>(e.GetType(), e.Message)).Distinct().Count() == 1)
            {
                // throw the first
                throw exceptions[0];
            }
            else
            {
                throw new JoseException($"No recipients able to decrypt.", new AggregateException(exceptions));
            }
        }
Exemple #6
0
 private static JwtSettings GetSettings(JwtSettings settings)
 {
     return(settings ?? JWT.DefaultSettings);
 }
Exemple #7
0
        /// <summary>
        /// Encodes given json string to JWT token and sign it using given algorithm.
        /// </summary>
        /// <param name="payload">json string to encode (not null or whitespace)</param>
        /// <param name="key">key for signing, suitable for provided JWS algorithm, can be null.</param>
        /// <param name="algorithm">JWT algorithm to be used.</param>
        /// <param name="extraHeaders">optional extra headers to pass along with the payload.</param>
        /// <param name="settings">optional settings to override global DefaultSettings</param>
        /// <param name="options">additional encoding options</param>
        /// <returns>JWT in compact serialization form, digitally signed.</returns>
        public static string Encode(string payload, object key, JwsAlgorithm algorithm, IDictionary <string, object> extraHeaders = null, JwtSettings settings = null, JwtOptions options = null)
        {
            byte[] payloadBytes = Encoding.UTF8.GetBytes(payload);

            return(EncodeBytes(payloadBytes, key, algorithm, extraHeaders, settings, options));
        }
Exemple #8
0
 static JWT()
 {
     defaultSettings = new JwtSettings();
 }
Exemple #9
0
        /// <summary>
        /// Encodes given binary data to JWT token and applies requested encryption/compression algorithms.
        /// </summary>
        /// <param name="payload">Binary data to encode (not null)</param>
        /// <param name="key">key for encryption, suitable for provided JWS algorithm, can be null.</param>
        /// <param name="alg">JWT algorithm to be used.</param>
        /// <param name="enc">encryption algorithm to be used.</param>
        /// <param name="compression">optional compression type to use.</param>
        /// <param name="extraHeaders">optional extra headers to pass along with the payload.</param>
        /// <param name="settings">optional settings to override global DefaultSettings</param>
        /// <returns>JWT in compact serialization form, encrypted and/or compressed.</returns>
        public static string EncodeBytes(byte[] payload, object key, JweAlgorithm alg, JweEncryption enc, JweCompression?compression = null, IDictionary <string, object> extraHeaders = null, JwtSettings settings = null)
        {
            if (payload == null)
            {
                throw new ArgumentNullException(nameof(payload));
            }

            JwtSettings    jwtSettings = GetSettings(settings);
            IKeyManagement keys        = jwtSettings.Jwa(alg);
            IJweAlgorithm  _enc        = jwtSettings.Jwe(enc);

            if (keys == null)
            {
                throw new JoseException(string.Format("Unsupported JWA algorithm requested: {0}", alg));
            }

            if (_enc == null)
            {
                throw new JoseException(string.Format("Unsupported JWE algorithm requested: {0}", enc));
            }

            IDictionary <string, object> jwtHeader = new Dictionary <string, object> {
                { "alg", jwtSettings.JwaHeaderValue(alg) }, { "enc", jwtSettings.JweHeaderValue(enc) }
            };

            Dictionaries.Append(jwtHeader, extraHeaders);

            byte[][] contentKeys  = keys.WrapNewKey(_enc.KeySize, key, jwtHeader);
            byte[]   cek          = contentKeys[0];
            byte[]   encryptedCek = contentKeys[1];

            if (compression.HasValue)
            {
                jwtHeader["zip"] = jwtSettings.CompressionHeader(compression.Value);
                payload          = jwtSettings.Compression(compression.Value).Compress(payload);
            }

            byte[]   header   = Encoding.UTF8.GetBytes(jwtSettings.JsonMapper.Serialize(jwtHeader));
            byte[]   aad      = Encoding.UTF8.GetBytes(Compact.Serialize(header));
            byte[][] encParts = _enc.Encrypt(aad, payload, cek);

            return(Compact.Serialize(header, encryptedCek, encParts[0], encParts[1], encParts[2]));
        }
Exemple #10
0
 /// <summary>
 /// Serialize and encodes object to JWT token and sign it using given algorithm.
 /// Json string to encode will be obtained via configured IJsonMapper implementation.
 /// </summary>
 /// <param name="payload">object to map to json string and encode</param>
 /// <param name="key">key for signing, suitable for provided JWS algorithm, can be null.</param>
 /// <param name="algorithm">JWT algorithm to be used.</param>
 /// <param name="extraHeaders">optional extra headers to pass along with the payload.</param>
 /// <param name="settings">optional settings to override global DefaultSettings</param>
 /// <param name="options">additional encoding options</param>
 /// <returns>JWT in compact serialization form, digitally signed.</returns>
 public static string Encode(object payload, object key, JwsAlgorithm algorithm, IDictionary <string, object> extraHeaders = null, JwtSettings settings = null, JwtOptions options = null)
 {
     return(Encode(GetSettings(settings).JsonMapper.Serialize(payload), key, algorithm, extraHeaders, settings, options));
 }
Exemple #11
0
        /// <summary>
        /// Encodes given json string to JWT token and applies requested encryption/compression algorithms.
        /// Json string to encode will be obtained via configured IJsonMapper implementation.
        /// </summary>
        /// <param name="payload">json string to encode (not null or whitespace)</param>
        /// <param name="key">key for encryption, suitable for provided JWS algorithm, can be null.</param>
        /// <param name="alg">JWT algorithm to be used.</param>
        /// <param name="enc">encryption algorithm to be used.</param>
        /// <param name="compression">optional compression type to use.</param>
        /// <param name="extraHeaders">optional extra headers to pass along with the payload.</param>
        /// <param name="settings">optional settings to override global DefaultSettings</param>
        /// <returns>JWT in compact serialization form, encrypted and/or compressed.</returns>
        public static string Encode(string payload, object key, JweAlgorithm alg, JweEncryption enc, JweCompression?compression = null, IDictionary <string, object> extraHeaders = null, JwtSettings settings = null)
        {
            byte[] plainText = Encoding.UTF8.GetBytes(payload);

            return(EncodeBytes(plainText, key, alg, enc, compression, extraHeaders, settings));
        }
Exemple #12
0
 /// <summary>
 /// Serialize and encodes object to JWT token and applies requested encryption/compression algorithms.
 /// </summary>
 /// <param name="payload">json string to encode</param>
 /// <param name="key">key for encryption, suitable for provided JWS algorithm, can be null.</param>
 /// <param name="alg">JWT algorithm to be used.</param>
 /// <param name="enc">encryption algorithm to be used.</param>
 /// <param name="compression">optional compression type to use.</param>
 /// <param name="extraHeaders">optional extra headers to pass along with the payload.</param>
 /// <param name="settings">optional settings to override global DefaultSettings</param>
 /// <returns>JWT in compact serialization form, encrypted and/or compressed.</returns>
 public static string Encode(object payload, object key, JweAlgorithm alg, JweEncryption enc, JweCompression?compression = null, IDictionary <string, object> extraHeaders = null, JwtSettings settings = null)
 {
     return(Encode(GetSettings(settings).JsonMapper.Serialize(payload), key, alg, enc, compression, extraHeaders, settings));
 }
Exemple #13
0
 /// <summary>
 /// Parses signed JWT token, extracts payload part and attempts to unmarshal string to requested type with configured json mapper.
 /// This method is NOT supported for encrypted JWT tokens.
 /// This method is NOT performing integrity checking.
 /// </summary>
 /// <typeparam name="T">desired type after unmarshalling</typeparam>
 /// <param name="token">signed JWT token</param>
 /// <param name="settings">optional settings to override global DefaultSettings</param>
 /// <returns>unmarshalled payload</returns>
 /// <exception cref="JoseException">if encrypted JWT token is provided</exception>
 public static T Payload <T>(string token, JwtSettings settings = null)
 {
     return(GetSettings(settings).JsonMapper.Parse <T>(Payload(token)));
 }
Exemple #14
0
        private static string Decode(string token, object key = null, JwsAlgorithm?jwsAlg = null, JweAlgorithm?jweAlg = null, JweEncryption?jweEnc = null, JwtSettings settings = null, string payload = null)
        {
            var detached = payload != null?Encoding.UTF8.GetBytes(payload) : null;

            var payloadBytes = DecodeBytes(token, key, jwsAlg, jweAlg, jweEnc, settings, detached);

            return(Encoding.UTF8.GetString(payloadBytes));
        }
Exemple #15
0
        /// <summary>
        /// Encodes given binary data to JWT token and sign it using given algorithm.
        /// </summary>
        /// <param name="payload">Binary data to encode (not null)</param>
        /// <param name="key">key for signing, suitable for provided JWS algorithm, can be null.</param>
        /// <param name="algorithm">JWT algorithm to be used.</param>
        /// <param name="extraHeaders">optional extra headers to pass along with the payload.</param>
        /// <param name="settings">optional settings to override global DefaultSettings</param>
        /// <param name="options">additional encoding options</param>
        /// <returns>JWT in compact serialization form, digitally signed.</returns>
        public static string EncodeBytes(byte[] payload, object key, JwsAlgorithm algorithm, IDictionary <string, object> extraHeaders = null, JwtSettings settings = null, JwtOptions options = null)
        {
            if (payload == null)
            {
                throw new ArgumentNullException(nameof(payload));
            }

            var jwtSettings = GetSettings(settings);
            var jwtOptions  = options ?? JwtOptions.Default;

            var jwtHeader = new Dictionary <string, object> {
                { "alg", jwtSettings.JwsHeaderValue(algorithm) }
            };

            if (extraHeaders == null) //allow overload, but keep backward compatible defaults
            {
                extraHeaders = new Dictionary <string, object> {
                    { "typ", "JWT" }
                };
            }


            if (!jwtOptions.EncodePayload)
            {
                jwtHeader["b64"]  = false;
                jwtHeader["crit"] = Collections.Union(new[] { "b64" }, Dictionaries.Get(extraHeaders, "crit"));
            }

            Dictionaries.Append(jwtHeader, extraHeaders);
            byte[] headerBytes = Encoding.UTF8.GetBytes(jwtSettings.JsonMapper.Serialize(jwtHeader));

            var jwsAlgorithm = jwtSettings.Jws(algorithm);

            if (jwsAlgorithm == null)
            {
                throw new JoseException(string.Format("Unsupported JWS algorithm requested: {0}", algorithm));
            }

            byte[] signature = jwsAlgorithm.Sign(securedInput(headerBytes, payload, jwtOptions.EncodePayload), key);


            byte[] payloadBytes = jwtOptions.DetachPayload ? new byte[0] : payload;


            return(jwtOptions.EncodePayload
                ? Compact.Serialize(headerBytes, payloadBytes, signature)
                : Compact.Serialize(headerBytes, Encoding.UTF8.GetString(payloadBytes), signature));
        }
Exemple #16
0
        private static byte[] DecryptBytes(Compact.Iterator parts, object key, JweAlgorithm?jweAlg, JweEncryption?jweEnc, JwtSettings settings = null)
        {
            byte[] header       = parts.Next();
            byte[] encryptedCek = parts.Next();
            byte[] iv           = parts.Next();
            byte[] cipherText   = parts.Next();
            byte[] authTag      = parts.Next();

            JwtSettings jwtSettings = GetSettings(settings);
            IDictionary <string, object> jwtHeader = jwtSettings.JsonMapper.Parse <Dictionary <string, object> >(Encoding.UTF8.GetString(header));

            JweAlgorithm  headerAlg = jwtSettings.JwaAlgorithmFromHeader((string)jwtHeader["alg"]);
            JweEncryption headerEnc = jwtSettings.JweAlgorithmFromHeader((string)jwtHeader["enc"]);

            IKeyManagement keys = jwtSettings.Jwa(headerAlg);
            IJweAlgorithm  enc  = jwtSettings.Jwe(headerEnc);

            if (keys == null)
            {
                throw new JoseException(string.Format("Unsupported JWA algorithm requested: {0}", headerAlg));
            }

            if (enc == null)
            {
                throw new JoseException(string.Format("Unsupported JWE algorithm requested: {0}", headerEnc));
            }

            if (jweAlg != null && (JweAlgorithm)jweAlg != headerAlg)
            {
                throw new InvalidAlgorithmException("The algorithm type passed to the Decrypt method did not match the algorithm type in the header.");
            }

            if (jweEnc != null && (JweEncryption)jweEnc != headerEnc)
            {
                throw new InvalidAlgorithmException("The encryption type passed to the Decrypt method did not match the encryption type in the header.");
            }

            byte[] cek = keys.Unwrap(encryptedCek, key, enc.KeySize, jwtHeader);
            byte[] aad = Encoding.UTF8.GetBytes(Compact.Serialize(header));

            byte[] plainText = enc.Decrypt(aad, cek, iv, cipherText, authTag);

            if (jwtHeader.ContainsKey("zip"))
            {
                var compression = jwtSettings.Compression((string)jwtHeader["zip"]);

                plainText = compression.Decompress(plainText);
            }

            return(plainText);
        }
Exemple #17
0
 /// <summary>
 /// Decodes JWT token by performing necessary decompression/decryption and signature verification as defined in JWT token header.
 /// Resulting bytes of the payload are returned untouched (e.g. no parsing or mapping)
 /// </summary>
 /// <param name="token">JWT token in compact serialization form.</param>
 /// <param name="key">key for decoding suitable for JWT algorithm used.</param>
 /// <param name="alg">The algorithm type that we expect to receive in the header.</param>
 /// <param name="enc">The encryption type that we expect to receive in the header.</param>
 /// <param name="settings">optional settings to override global DefaultSettings</param>
 /// <returns>Decrypted payload as binary data</returns>
 /// <exception cref="IntegrityException">if signature validation failed</exception>
 /// <exception cref="EncryptionException">if JWT token can't be decrypted</exception>
 /// <exception cref="InvalidAlgorithmException">if JWT signature, encryption or compression algorithm is not supported</exception>
 public static byte[] DecodeBytes(string token, object key, JweAlgorithm alg, JweEncryption enc, JwtSettings settings = null)
 {
     return(DecodeBytes(token, key, null, alg, enc, settings));
 }
Exemple #18
0
 /// <summary>
 /// Parses JWT token, extracts and unmarshal headers as IDictionary<string, object>.
 /// This method is NOT performing integrity checking.
 /// </summary>
 /// <param name="token">signed JWT token</param>
 /// <param name="settings">optional settings to override global DefaultSettings</param>
 /// <returns>unmarshalled headers</returns>
 public static IDictionary <string, object> Headers(string token, JwtSettings settings = null)
 {
     return(Headers <IDictionary <string, object> >(token, settings));
 }
Exemple #19
0
 /// <summary>
 /// Decodes JWT token by performing necessary decompression/decryption and signature verification as defined in JWT token header.
 /// Resulting json string is returned untouched (e.g. no parsing or mapping)
 /// </summary>
 /// <param name="token">JWT token in compact serialization form.</param>
 /// <param name="key">key for decoding suitable for JWT algorithm used, can be null.</param>
 /// <param name="settings">optional settings to override global DefaultSettings</param>
 /// <param name="payload">optional detached payload</param>
 /// <returns>decoded json string</returns>
 /// <exception cref="IntegrityException">if signature validation failed</exception>
 /// <exception cref="EncryptionException">if JWT token can't be decrypted</exception>
 /// <exception cref="InvalidAlgorithmException">if JWT signature, encryption or compression algorithm is not supported</exception>
 public static string Decode(string token, object key = null, JwtSettings settings = null, string payload = null)
 {
     return(Decode(token, key, null, null, null, settings, payload));
 }
Exemple #20
0
 /// <summary>
 /// Encrypts given plaintext using JWE and applies requested encryption/compression algorithms.
 /// </summary>
 /// <param name="plaintext">Binary data to encrypt (not null)</param>
 /// <param name="recipients">The details of who to encrypt the plaintext (or rather the CEK) to.</param>
 /// <param name="enc">encryption algorithm to be used to encrypt the plaintext.</param>
 /// <param name="aad">additional authentication data (SerializationMode.Json only)</param>
 /// <param name="mode">serialization mode to use. Note only one recipient can be specified for compact and flattened json serialization.</param>
 /// <param name="compression">optional compression type to use.</param>
 /// <param name="extraProtectedHeaders">optional extra headers to put in the protected header.</param>
 /// <param name="unprotectedHeaders">optional unprotected headers</param>
 /// <param name="settings">optional settings to override global DefaultSettings</param>
 /// <returns>JWT in compact serialization form, encrypted and/or compressed.</returns>
 public static string Encrypt(string plaintext, IEnumerable <JweRecipient> recipients, JweEncryption enc, byte[] aad = null, SerializationMode mode = SerializationMode.Json, JweCompression?compression = null, IDictionary <string, object> extraProtectedHeaders = null, IDictionary <string, object> unprotectedHeaders = null, JwtSettings settings = null)
 {
     return(EncryptBytes(Encoding.UTF8.GetBytes(plaintext), recipients, enc, aad, mode, compression, extraProtectedHeaders, unprotectedHeaders, settings));
 }
Exemple #21
0
 /// <summary>
 /// Decodes JWT token by performing necessary decompression/decryption and signature verification as defined in JWT token header.
 /// Resulting binary payload is returned untouched (e.g. no parsing or mapping)
 /// </summary>
 /// <param name="token">JWT token in compact serialization form.</param>
 /// <param name="key">key for decoding suitable for JWT algorithm used, can be null.</param>
 /// <param name="settings">optional settings to override global DefaultSettings</param>
 /// <param name="payload">optional detached payload</param>
 /// <returns>The payload as binary data</returns>
 /// <exception cref="IntegrityException">if signature validation failed</exception>
 /// <exception cref="EncryptionException">if JWT token can't be decrypted</exception>
 /// <exception cref="InvalidAlgorithmException">if JWT signature, encryption or compression algorithm is not supported</exception>
 public static byte[] DecodeBytes(string token, object key = null, JwtSettings settings = null, byte[] payload = null)
 {
     return(DecodeBytes(token, key, null, null, null, settings, payload));
 }
Exemple #22
0
        /// <summary>
        /// Encrypts given binary plaintext using JWE and applies requested encryption/compression algorithms.
        /// </summary>
        /// <param name="plaintext">Binary data to encrypt (not null)</param>
        /// <param name="recipients">The details of who to encrypt the plaintext (or rather the CEK) to.</param>
        /// <param name="enc">encryption algorithm to be used to encrypt the plaintext.</param>
        /// <param name="aad">additional authentication data (SerializationMode.Json only)</param>
        /// <param name="mode">serialization mode to use. Note only one recipient can be specified for compact and flattened json serialization.</param>
        /// <param name="compression">optional compression type to use.</param>
        /// <param name="extraProtectedHeaders">optional extra headers to put in the protected header.</param>
        /// <param name="unprotectedHeaders">optional unprotected headers</param>
        /// <param name="settings">optional settings to override global DefaultSettings</param>
        /// <returns>JWT in compact serialization form, encrypted and/or compressed.</returns>
        public static string EncryptBytes(byte[] plaintext, IEnumerable <JweRecipient> recipients, JweEncryption enc, byte[] aad = null, SerializationMode mode = SerializationMode.Json, JweCompression?compression = null, IDictionary <string, object> extraProtectedHeaders = null, IDictionary <string, object> unprotectedHeaders = null, JwtSettings settings = null)
        {
            if (plaintext == null)
            {
                throw new ArgumentNullException(nameof(plaintext));
            }

            settings = GetSettings(settings);
            IJweAlgorithm _enc = settings.Jwe(enc);

            if (_enc == null)
            {
                throw new JoseException(string.Format("Unsupported JWE enc requested: {0}", enc));
            }

            IDictionary <string, object> joseProtectedHeader = Dictionaries.MergeHeaders(
                new Dictionary <string, object> {
                { "enc", settings.JweHeaderValue(enc) }
            },
                extraProtectedHeaders);

            byte[] cek = null;

            var recipientsOut = new List <JweRecipient>();

            foreach (var recipient in recipients)
            {
                IKeyManagement keys = settings.Jwa(recipient.Alg);

                if (keys == null)
                {
                    throw new JoseException(string.Format("Unsupported JWE alg requested: {0}", recipient.Alg));
                }

                // joseHeader - is merge of headers
                // - key management will read from (e.g. enc,apv,apu - ECDH-ES)
                // - key management will write to (e.g. iv, tag - AesGcmKW)
                IDictionary <string, object> joseHeader = Dictionaries.MergeHeaders(
                    joseProtectedHeader,
                    new Dictionary <string, object> {
                    { "alg", settings.JwaHeaderValue(recipient.Alg) }
                },
                    recipient.Header,
                    unprotectedHeaders
                    );

                byte[] encryptedCek;
                if (cek == null)
                {
                    byte[][] contentKeys = keys.WrapNewKey(_enc.KeySize, recipient.Key, joseHeader);
                    cek          = contentKeys[0];
                    encryptedCek = contentKeys[1];
                }
                else
                {
                    encryptedCek = keys.WrapKey(cek, recipient.Key, joseHeader);
                }

                // For the per-receipient header we want the headers from the result of IKeyManagements key wrapping but without the
                // shared headers
                IDictionary <string, object> recipientHeader = joseHeader
                                                               .Where(
                    kvp => !joseProtectedHeader.ContainsKey(kvp.Key) &&
                    (unprotectedHeaders == null || !unprotectedHeaders.ContainsKey(kvp.Key))
                    )
                                                               .ToDictionary(kvp => kvp.Key, kvp => kvp.Value);

                recipientsOut.Add(new JweRecipient(encryptedCek, recipientHeader));
            }

            if (compression.HasValue)
            {
                joseProtectedHeader["zip"] = settings.CompressionHeader(compression.Value);
                plaintext = settings.Compression(compression.Value).Compress(plaintext);
            }

            switch (mode)
            {
            case SerializationMode.Compact:
            {
                if (recipientsOut.Count != 1)
                {
                    throw new JoseException("Only one recipient is supported by the JWE Compact Serialization.");
                }

                if (aad != null)
                {
                    throw new JoseException("JWE AAD value is not valid for JWE Compact Serialization.");
                }

                joseProtectedHeader = Dictionaries.MergeHeaders(recipientsOut[0].Header, joseProtectedHeader);

                byte[] header = Encoding.UTF8.GetBytes(settings.JsonMapper.Serialize(joseProtectedHeader));
                aad = Encoding.UTF8.GetBytes(Compact.Serialize(header));
                byte[][] encParts = _enc.Encrypt(aad, plaintext, cek);

                return(new JweToken(
                           header,
                           null,
                           recipientsOut,
                           null,
                           encParts[0],
                           encParts[1],
                           encParts[2],
                           mode)
                       .AsString());
            }

            case SerializationMode.Json:
            {
                var      protectedHeaderBytes        = Encoding.UTF8.GetBytes(settings.JsonMapper.Serialize(joseProtectedHeader));
                byte[]   asciiEncodedProtectedHeader = Encoding.ASCII.GetBytes(Base64Url.Encode(protectedHeaderBytes));
                byte[][] encParts = _enc.Encrypt(Aad(protectedHeaderBytes, aad), plaintext, cek);

                return(new JweToken(
                           protectedHeaderBytes,
                           unprotectedHeaders,
                           recipientsOut,
                           aad,
                           encParts[0],
                           encParts[1],
                           encParts[2],
                           mode)
                       .AsString(settings.JsonMapper));
            }

            default:
                throw new JoseException($"Unsupported serializtion mode: {mode}.");
            }
        }
Exemple #23
0
 /// <summary>
 /// Encodes given binary data to JWT token and applies requested encryption/compression algorithms.
 /// </summary>
 /// <param name="payload">Binary data to encode (not null)</param>
 /// <param name="key">key for encryption, suitable for provided JWS algorithm, can be null.</param>
 /// <param name="alg">JWT algorithm to be used.</param>
 /// <param name="enc">encryption algorithm to be used.</param>
 /// <param name="compression">optional compression type to use.</param>
 /// <param name="extraHeaders">optional extra headers to pass along with the payload.</param>
 /// <param name="settings">optional settings to override global DefaultSettings</param>
 /// <returns>JWT in compact serialization form, encrypted and/or compressed.</returns>
 public static string EncodeBytes(byte[] payload, object key, JweAlgorithm alg, JweEncryption enc, JweCompression?compression = null, IDictionary <string, object> extraHeaders = null, JwtSettings settings = null)
 {
     return(JWE.Encrypt(payload, new Recipient[] { new Recipient(alg, key) }, enc, aad: null, SerializationMode.Compact, compression, extraHeaders, settings));
 }