public static IServiceCollection AddRSAHttpMessageSigning(this IServiceCollection services, Func <IServiceProvider, KeyId> keyIdFactory, Func <IServiceProvider, RSA> rsaFactory, Action <IServiceProvider, SigningSettings> signingSettingsConfig)
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
if (keyIdFactory == null)
{
throw new ArgumentNullException(nameof(keyIdFactory));
}
if (rsaFactory == null)
{
throw new ArgumentNullException(nameof(rsaFactory));
}
return(services.AddHttpMessageSigning(
keyIdFactory,
prov => {
var signingSettings = new SigningSettings {
SignatureAlgorithm = new RSASignatureAlgorithm(HashAlgorithmName.SHA512, rsaFactory(prov))
};
signingSettingsConfig?.Invoke(prov, signingSettings);
return signingSettings;
}));
}
public SigningStringCompositionRequest CreateForSigning(
HttpRequestForSigning request,
SigningSettings signingSettings,
DateTimeOffset?timeOfComposing,
TimeSpan?expires)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (signingSettings == null)
{
throw new ArgumentNullException(nameof(signingSettings));
}
return(new SigningStringCompositionRequest {
Request = request.ToHttpRequestForSignatureString(),
RequestTargetEscaping = signingSettings.RequestTargetEscaping,
HeadersToInclude = signingSettings.Headers,
TimeOfComposing = timeOfComposing,
Expires = expires,
Nonce = signingSettings.EnableNonce
? _nonceGenerator.GenerateNonce()
: null
});
}
public void GivenInvalidSettings_ThrowsValidationException()
{
var invalidSettings = new SigningSettings();
Action act = () => _sut.Create(_keyId, invalidSettings);
act.Should().Throw <ValidationException>();
}
public RequestSignerTests()
{
FakeFactory.Create(
out _signatureCreator,
out _authorizationHeaderParamCreator,
out _dateHeaderEnsurer,
out _digestHeaderEnsurer,
out _systemClock,
out _logger);
_signingSettings = new SigningSettings {
Expires = TimeSpan.FromMinutes(5),
KeyId = new KeyId("client1"),
SignatureAlgorithm = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA512),
Headers = new[] {
HeaderName.PredefinedHeaderNames.RequestTarget,
HeaderName.PredefinedHeaderNames.Date,
new HeaderName("dalion_app_id")
}
};
_sut = new RequestSigner(
_signatureCreator,
_authorizationHeaderParamCreator,
_signingSettings,
_dateHeaderEnsurer,
_digestHeaderEnsurer,
_systemClock,
_logger);
}
public async Task CalculatesSignatureForExpectedRequest()
{
var compositionRequest = new SigningStringCompositionRequest();
HttpRequestForSigning interceptedRequest = null;
SigningSettings interceptedSigningSettings = null;
DateTimeOffset? interceptedTimeOfSigning = null;
TimeSpan?interceptedExpires = null;
A.CallTo(() => _stringCompositionRequestFactory.CreateForSigning(A <HttpRequestForSigning> ._, A <SigningSettings> ._, A <DateTimeOffset?> ._, A <TimeSpan?> ._))
.Invokes(call => {
interceptedRequest = call.GetArgument <HttpRequestForSigning>(0);
interceptedSigningSettings = call.GetArgument <SigningSettings>(1);
interceptedTimeOfSigning = call.GetArgument <DateTimeOffset?>(2);
interceptedExpires = call.GetArgument <TimeSpan?>(3);
})
.Returns(compositionRequest);
var composedString = "{the composed string}";
A.CallTo(() => _signingStringComposer.Compose(A <SigningStringCompositionRequest> ._))
.Returns(composedString);
await _sut.CreateSignature(_httpRequestMessage, _settings, _timeOfSigning, _expires);
interceptedRequest.Should().BeEquivalentTo(new HttpRequestForSigning {
Method = HttpMethod.Post,
RequestUri = "http://dalion.eu/api/resource/id1".ToUri(),
Headers = new HeaderDictionary(new Dictionary <string, StringValues> {
{ "H1", "v1" }
})
});
interceptedSigningSettings.Should().Be(_settings);
interceptedTimeOfSigning.Should().Be(_timeOfSigning);
interceptedExpires.Should().Be(_expires);
}
public CreateSignature()
{
_httpRequestMessage = new HttpRequestMessage {
Method = HttpMethod.Post,
RequestUri = new Uri("http://dalion.eu/api/resource/id1"),
Headers = { { "H1", "v1" } }
};
_settings = new SigningSettings {
Expires = TimeSpan.FromMinutes(5),
KeyId = new KeyId("client1"),
SignatureAlgorithm = A.Fake <ISignatureAlgorithm>(),
Headers = new[] {
HeaderName.PredefinedHeaderNames.RequestTarget,
HeaderName.PredefinedHeaderNames.Date,
new HeaderName("dalion_app_id")
},
UseDeprecatedAlgorithmParameter = false,
AuthorizationScheme = "TestScheme",
EnableNonce = true,
DigestHashAlgorithm = HashAlgorithmName.SHA384
};
_timeOfSigning = new DateTimeOffset(2020, 2, 24, 11, 20, 14, TimeSpan.Zero);
_expires = TimeSpan.FromMinutes(10);
A.CallTo(() => _settings.SignatureAlgorithm.Name).Returns("Custom");
_nonce = "abc123";
A.CallTo(() => _nonceGenerator.GenerateNonce()).Returns(_nonce);
}
public BaseTests()
{
_httpTest = new HttpTest();
_apiFilmesSettings = ConfigManager.ApiFilmesSettings;
_signingSettings = ConfigManager.SigningSettings;
_tokenSettings = ConfigManager.TokenSettings;
_systemSettings = ConfigManager.SystemSettings;
}
public RegisteredSigningSettingsTests()
{
_keyId = new KeyId("abc123");
_signatureAlgorithm = A.Fake <ISignatureAlgorithm>();
_signingSettings = new SigningSettings {
KeyId = _keyId, SignatureAlgorithm = _signatureAlgorithm
};
_sut = new RegisteredSigningSettings(_keyId, _signingSettings);
}
public RegisteredSigningSettings(KeyId keyId, SigningSettings signingSettings)
{
if (keyId == KeyId.Empty)
{
throw new ArgumentException($"The specified {nameof(keyId)} cannot be empty.", nameof(keyId));
}
KeyId = keyId;
SigningSettings = signingSettings ?? throw new ArgumentNullException(nameof(signingSettings));
}
public void WhenInvalidSettingsAreRegistered_ThrowsValidationException()
{
var invalidSettings = new SigningSettings();
A.CallTo(() => _registeredSignerSettingsStore.Get(_keyId))
.Returns(invalidSettings);
Action act = () => _sut.CreateFor(_keyId);
act.Should().Throw <ValidationException>();
}
public void SanitizeHeaderNamesToInclude(SigningSettings signingSettings, HttpRequestMessage request)
{
if (signingSettings == null)
{
throw new ArgumentNullException(nameof(signingSettings));
}
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
// When feature is disabled, don't take any further action
if (!signingSettings.AutomaticallyAddRecommendedHeaders)
{
return;
}
if (signingSettings.Headers == null)
{
signingSettings.Headers = Array.Empty <HeaderName>();
}
// According to the spec, the header (request-target) should always be a part of the signature string.
if (!signingSettings.Headers.Contains(HeaderName.PredefinedHeaderNames.RequestTarget))
{
signingSettings.Headers = AppendHeaderName(signingSettings.Headers, HeaderName.PredefinedHeaderNames.RequestTarget);
}
// According to the spec, when the algorithm starts with 'rsa', 'hmac' or 'ecdsa', the Date header should be part of the signature string.
if (signingSettings.SignatureAlgorithm.ShouldIncludeDateHeader() && !signingSettings.Headers.Contains(HeaderName.PredefinedHeaderNames.Date))
{
signingSettings.Headers = AppendHeaderName(signingSettings.Headers, HeaderName.PredefinedHeaderNames.Date);
}
// According to the spec, when the algorithm does not start with 'rsa', 'hmac' or 'ecdsa', the (created) header should be part of the signature string.
if (signingSettings.SignatureAlgorithm.ShouldIncludeCreatedHeader() && !signingSettings.Headers.Contains(HeaderName.PredefinedHeaderNames.Created))
{
signingSettings.Headers = AppendHeaderName(signingSettings.Headers, HeaderName.PredefinedHeaderNames.Created);
}
// According to the spec, when the algorithm does not start with 'rsa', 'hmac' or 'ecdsa', the (expires) header should be part of the signature string.
if (signingSettings.SignatureAlgorithm.ShouldIncludeExpiresHeader() && !signingSettings.Headers.Contains(HeaderName.PredefinedHeaderNames.Expires))
{
signingSettings.Headers = AppendHeaderName(signingSettings.Headers, HeaderName.PredefinedHeaderNames.Expires);
}
// When digest is enabled, make it part of the signature string
if (!string.IsNullOrEmpty(signingSettings.DigestHashAlgorithm.Name) && request.Method.SupportsBody() &&
!signingSettings.Headers.Contains(HeaderName.PredefinedHeaderNames.Digest))
{
signingSettings.Headers = AppendHeaderName(signingSettings.Headers, HeaderName.PredefinedHeaderNames.Digest);
}
}
/// <summary>
/// Adds http message signing registrations to the specified
/// <see cref="T:Microsoft.Extensions.DependencyInjection.IServiceCollection" />.
/// </summary>
/// <param name="keyId">
/// The <see cref="T:Dalion.HttpMessageSigning.KeyId" /> that the server can use to identify the client
/// application.
/// </param>
/// <param name="services">
/// The <see cref="T:Microsoft.Extensions.DependencyInjection.IServiceCollection" /> to add the
/// registrations to.
/// </param>
/// <param name="signingSettingsConfig">The action that configures the signing settings.</param>
/// <returns>
/// The <see cref="T:Microsoft.Extensions.DependencyInjection.IServiceCollection" /> to which the registrations
/// were added.
/// </returns>
public static IServiceCollection AddHttpMessageSigning(this IServiceCollection services, KeyId keyId, Action <SigningSettings> signingSettingsConfig)
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
return(services.AddHttpMessageSigning(keyId, prov => {
var newSettings = new SigningSettings();
signingSettingsConfig?.Invoke(newSettings);
return newSettings;
}));
}
public Create()
{
_keyId = new KeyId("client1");
_signingSettings = new SigningSettings {
Expires = TimeSpan.FromMinutes(5),
SignatureAlgorithm = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA512),
Headers = new[] {
HeaderName.PredefinedHeaderNames.RequestTarget,
HeaderName.PredefinedHeaderNames.Date,
new HeaderName("dalion_app_id")
}
};
}
public async Task <Signature> CreateSignature(HttpRequestMessage request, SigningSettings settings, DateTimeOffset timeOfSigning)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (settings == null)
{
throw new ArgumentNullException(nameof(settings));
}
_signingSettingsSanitizer.SanitizeHeaderNamesToInclude(settings, request);
settings.Validate();
var nonce = settings.EnableNonce ? _nonceGenerator.GenerateNonce() : null;
var requestForSigning = request.ToRequestForSigning();
var signingString = _signingStringComposer.Compose(
requestForSigning,
settings.SignatureAlgorithm.Name,
settings.Headers,
timeOfSigning,
settings.Expires,
nonce);
var eventTask = settings.Events?.OnSigningStringComposed?.Invoke(request, signingString);
if (eventTask != null)
{
await eventTask;
}
_logger?.LogDebug("Composed the following signing string for request signing: {0}", signingString);
var signatureHash = settings.SignatureAlgorithm.ComputeHash(signingString);
var signatureString = _base64Converter.ToBase64(signatureHash);
_logger?.LogDebug("The base64 hash of the signature string for signing is '{0}'.", signatureString);
var signature = new Signature {
KeyId = settings.KeyId,
Algorithm = $"{settings.SignatureAlgorithm.Name.ToLowerInvariant()}-{settings.SignatureAlgorithm.HashAlgorithm.ToString().ToLowerInvariant()}",
Created = timeOfSigning,
Expires = timeOfSigning.Add(settings.Expires),
Headers = settings.Headers,
Nonce = nonce,
String = signatureString
};
return(signature);
}
public RequestSigner(
ISigningSettingsSanitizer signingSettingsSanitizer,
ISignatureCreator signatureCreator,
IAuthorizationHeaderParamCreator authorizationHeaderParamCreator,
SigningSettings signingSettings,
ISignatureHeaderEnsurer signatureHeaderEnsurer,
ISystemClock systemClock,
ILogger <RequestSigner> logger = null)
{
_signingSettingsSanitizer = signingSettingsSanitizer ?? throw new ArgumentNullException(nameof(signingSettingsSanitizer));
_signatureCreator = signatureCreator ?? throw new ArgumentNullException(nameof(signatureCreator));
_authorizationHeaderParamCreator = authorizationHeaderParamCreator ?? throw new ArgumentNullException(nameof(authorizationHeaderParamCreator));
_signingSettings = signingSettings ?? throw new ArgumentNullException(nameof(signingSettings));
_signatureHeaderEnsurer = signatureHeaderEnsurer ?? throw new ArgumentNullException(nameof(signatureHeaderEnsurer));
_systemClock = systemClock ?? throw new ArgumentNullException(nameof(systemClock));
_logger = logger;
}
public Task EnsureHeader(HttpRequestMessage request, SigningSettings signingSettings, DateTimeOffset timeOfSigning)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (signingSettings == null)
{
throw new ArgumentNullException(nameof(signingSettings));
}
if (signingSettings.Headers.Contains(HeaderName.PredefinedHeaderNames.Date) && !request.Headers.Date.HasValue)
{
request.Headers.Date = timeOfSigning;
}
return(Task.CompletedTask);
}
public async Task <Signature> CreateSignature(HttpRequestMessage request, SigningSettings settings, DateTimeOffset timeOfSigning, TimeSpan expires)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (settings == null)
{
throw new ArgumentNullException(nameof(settings));
}
var requestForSigning = request.ToHttpRequestForSigning();
var compositionRequest = _stringCompositionRequestFactory.CreateForSigning(requestForSigning, settings, timeOfSigning, expires);
var signingString = _signingStringComposer.Compose(compositionRequest);
var eventTask = settings.Events?.OnSigningStringComposed?.Invoke(request, ref signingString);
if (eventTask != null)
{
await eventTask.ConfigureAwait(continueOnCapturedContext : false);
}
_logger?.LogDebug("Composed the following signing string for request signing: {0}", signingString);
var signatureHash = settings.SignatureAlgorithm.ComputeHash(signingString);
var signatureString = _base64Converter.ToBase64(signatureHash);
_logger?.LogDebug("The base64 hash of the signature string for signing is '{0}'.", signatureString);
var signature = new Signature {
KeyId = settings.KeyId,
Algorithm = settings.UseDeprecatedAlgorithmParameter
? $"{settings.SignatureAlgorithm.Name.ToLowerInvariant()}-{settings.SignatureAlgorithm.HashAlgorithm.ToString().ToLowerInvariant()}"
: Signature.DefaultSignatureAlgorithm,
Created = timeOfSigning,
Expires = timeOfSigning.Add(expires),
Headers = settings.Headers,
Nonce = compositionRequest.Nonce,
String = signatureString
};
return(signature);
}
public SanitizeHeaderNamesToInclude()
{
_httpRequest = new HttpRequestMessage {
Method = HttpMethod.Post,
RequestUri = new Uri("http://dalion.eu/api/resource/id1")
};
_settings = new SigningSettings {
Expires = TimeSpan.FromMinutes(5),
KeyId = new KeyId("client1"),
SignatureAlgorithm = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA512),
Headers = new[] {
HeaderName.PredefinedHeaderNames.RequestTarget,
HeaderName.PredefinedHeaderNames.Date,
HeaderName.PredefinedHeaderNames.Expires,
new HeaderName("dalion_app_id")
},
DigestHashAlgorithm = HashAlgorithmName.SHA256
};
}
public async Task EnsureHeader(HttpRequestMessage request, SigningSettings signingSettings, DateTimeOffset timeOfSigning)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (signingSettings == null)
{
throw new ArgumentNullException(nameof(signingSettings));
}
if (!request.Method.SupportsBody())
{
return;
}
if (string.IsNullOrEmpty(signingSettings.DigestHashAlgorithm.Name))
{
return;
}
if (request.Headers.Contains("Digest"))
{
return;
}
if (request.Content == null)
{
request.Headers.Add("Digest", string.Empty);
return;
}
var bodyBytes = await request.Content.ReadAsByteArrayAsync().ConfigureAwait(false);
using (var hashAlgorithm = HashAlgorithmFactory.Create(signingSettings.DigestHashAlgorithm)) {
if (hashAlgorithm == null)
{
throw new NotSupportedException($"The specified hash algorithm ({signingSettings.DigestHashAlgorithm.Name}) for digest is currently not supported.");
}
var payloadBytes = hashAlgorithm.ComputeHash(bodyBytes);
var digest = _base64Converter.ToBase64(payloadBytes);
var digestAlgorithmName = Constants.DigestHashAlgorithmNames[signingSettings.DigestHashAlgorithm.Name];
request.Headers.Add("Digest", $"{digestAlgorithmName}={digest}");
}
}
public void CreatesNewInstanceOfExpectedType()
{
var signingSettings = new SigningSettings {
Expires = TimeSpan.FromMinutes(5),
SignatureAlgorithm = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA512),
Headers = new[] {
HeaderName.PredefinedHeaderNames.RequestTarget,
HeaderName.PredefinedHeaderNames.Date,
new HeaderName("dalion_app_id")
}
};
A.CallTo(() => _registeredSignerSettingsStore.Get(_keyId))
.Returns(signingSettings);
var actual = _sut.CreateFor(_keyId);
actual.Should().NotBeNull().And.BeAssignableTo <RequestSigner>();
}
public EnsureHeader()
{
_timeOfSigning = new DateTimeOffset(2020, 2, 24, 11, 20, 14, TimeSpan.FromHours(1));
_httpRequest = new HttpRequestMessage {
Method = HttpMethod.Post,
RequestUri = new Uri("http://dalion.eu/api/resource/id1")
};
_settings = new SigningSettings {
Expires = TimeSpan.FromMinutes(5),
KeyId = "client1",
SignatureAlgorithm = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA512),
Headers = new[] {
HeaderName.PredefinedHeaderNames.RequestTarget,
HeaderName.PredefinedHeaderNames.Date,
HeaderName.PredefinedHeaderNames.Expires,
new HeaderName("dalion_app_id")
},
DigestHashAlgorithm = HashAlgorithmName.SHA256
};
}
public static void ConfigurarJwtToken(IServiceCollection services, IConfiguration configuration)
{
var signingSettings = new SigningSettings();
services.AddSingleton(signingSettings);
var tokenSettings = configuration.GetSettings <TokenSettings>();
services.AddAuthentication(opt =>
{
opt.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
opt.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(opt =>
{
opt.RequireHttpsMetadata = false;
opt.SaveToken = true;
opt.TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = signingSettings.Key,
ValidAudience = tokenSettings.Audience,
ValidIssuer = tokenSettings.Issuer,
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero
};
});
services.AddAuthorization(opt =>
{
var builder = new AuthorizationPolicyBuilder();
var authPolicy = builder
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser()
.Build();
opt.AddPolicy(JwtBearerDefaults.AuthenticationScheme, authPolicy);
});
}
public CreateForSigning()
{
_request = new HttpRequestForSigning();
_settings = new SigningSettings {
Expires = TimeSpan.FromMinutes(5),
KeyId = new KeyId("client1"),
SignatureAlgorithm = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA512),
Headers = new[] {
HeaderName.PredefinedHeaderNames.RequestTarget,
HeaderName.PredefinedHeaderNames.Date,
HeaderName.PredefinedHeaderNames.Expires,
new HeaderName("dalion_app_id")
},
DigestHashAlgorithm = HashAlgorithmName.SHA256,
EnableNonce = true,
RequestTargetEscaping = RequestTargetEscaping.RFC2396,
AutomaticallyAddRecommendedHeaders = true
};
_timeOfComposingUtc = new DateTimeOffset(2020, 9, 8, 13, 21, 14, TimeSpan.Zero);
_expires = TimeSpan.FromMinutes(3);
}
public IRequestSigner Create(KeyId keyId, SigningSettings signingSettings)
{
if (keyId == KeyId.Empty)
{
throw new ArgumentException("The specified key id cannot be empty.", nameof(keyId));
}
if (signingSettings == null)
{
throw new ArgumentNullException(nameof(signingSettings));
}
signingSettings.KeyId = keyId;
return(new RequestSigner(
_signingSettingsSanitizer,
_signatureCreator,
_authorizationHeaderParamCreator,
signingSettings,
_signatureHeaderEnsurer,
_systemClock,
_logger));
}
private Task OnRequestSigned(HttpRequestMessage request, Signature signature, SigningSettings settings)
{
_signedRequest = request;
return(Task.CompletedTask);
}
public RegisteredSigningSettings(KeyId keyId, SigningSettings signingSettings)
{
KeyId = keyId;
SigningSettings = signingSettings ?? throw new ArgumentNullException(nameof(signingSettings));
}
/// <summary>
/// Adds http message signing registrations to the specified
/// <see cref="T:Microsoft.Extensions.DependencyInjection.IServiceCollection" />.
/// </summary>
/// <param name="keyId">
/// The <see cref="T:Dalion.HttpMessageSigning.KeyId" /> that the server can use to identify the client
/// application.
/// </param>
/// <param name="services">
/// The <see cref="T:Microsoft.Extensions.DependencyInjection.IServiceCollection" /> to add the
/// registrations to.
/// </param>
/// <param name="signingSettings">The signing settings.</param>
/// <returns>
/// The <see cref="T:Microsoft.Extensions.DependencyInjection.IServiceCollection" /> to which the registrations
/// were added.
/// </returns>
public static IServiceCollection AddHttpMessageSigning(this IServiceCollection services, KeyId keyId, SigningSettings signingSettings)
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
if (signingSettings == null)
{
throw new ArgumentNullException(nameof(signingSettings));
}
return(services.AddHttpMessageSigning(keyId, prov => signingSettings));
}
public static async Task <string> Run(SignOptions options)
{
var serviceProvider = new ServiceCollection()
.AddHttpMessageSigning()
.BuildServiceProvider();
var requestSignerFactory = serviceProvider.GetRequiredService <IRequestSignerFactory>();
ISignatureAlgorithm signatureAlgorithm;
if (string.IsNullOrEmpty(options.KeyType) || options.KeyType.Equals("RSA", StringComparison.OrdinalIgnoreCase))
{
signatureAlgorithm = RSASignatureAlgorithm.CreateForSigning(HashAlgorithmName.SHA512, KeyReader.ReadRSA(options.PrivateKey));
}
else if (options.KeyType.Equals("P256", StringComparison.OrdinalIgnoreCase) || options.KeyType.Equals("ECDSA", StringComparison.OrdinalIgnoreCase))
{
signatureAlgorithm = ECDsaSignatureAlgorithm.CreateForSigning(HashAlgorithmName.SHA512, KeyReader.ReadECDsaPrivate(options.PrivateKey));
}
else if (options.KeyType.Equals("HMAC", StringComparison.OrdinalIgnoreCase))
{
signatureAlgorithm = SignatureAlgorithm.CreateForSigning(options.PrivateKey, HashAlgorithmName.SHA512);
}
else
{
throw new NotSupportedException("The specified key type is not supported.");
}
if (!string.IsNullOrEmpty(options.Algorithm) &&
!options.Algorithm.StartsWith("rsa", StringComparison.OrdinalIgnoreCase) &&
!options.Algorithm.StartsWith("hmac", StringComparison.OrdinalIgnoreCase) &&
!options.Algorithm.StartsWith("ecdsa", StringComparison.OrdinalIgnoreCase))
{
signatureAlgorithm = new CustomSignatureAlgorithm(options.Algorithm);
}
var signingSettings = new SigningSettings {
SignatureAlgorithm = signatureAlgorithm,
EnableNonce = false,
DigestHashAlgorithm = HashAlgorithmName.SHA256,
AutomaticallyAddRecommendedHeaders = false,
Headers = options.Headers
?.Split(new[] { ' ', ',' }, StringSplitOptions.RemoveEmptyEntries)
.Select(h => new HeaderName(h))
.ToArray()
};
var signer = requestSignerFactory.Create(
new KeyId("test"),
signingSettings);
var created = DateTimeOffset.UtcNow;
if (!string.IsNullOrEmpty(options.Created))
{
var createdUnix = int.Parse(options.Created);
created = DateTimeOffset.FromUnixTimeSeconds(createdUnix);
}
var expires = signingSettings.Expires;
if (!string.IsNullOrEmpty(options.Expires))
{
var expiresUnix = int.Parse(options.Expires);
var expiresAbsolute = DateTimeOffset.FromUnixTimeSeconds(expiresUnix);
expires = expiresAbsolute - created;
}
await signer.Sign(options.Message, created, expires);
var serializedMessage = HttpMessageSerializer.Serialize(options.Message);
return(serializedMessage);
}
/// <summary>
/// Cria um novo token JWT válido
/// </summary>
/// <param name="identity">Identidade do usuário</param>
/// <param name="jwtSettings">Configurações do token JWT</param>
/// <param name="signingSettings">Credênciais para assinatura do token</param>
/// <returns>Um token JWT válido</returns>
public static object CreateJwtToken(this ClaimsIdentity identity, JwtSettings jwtSettings, SigningSettings signingSettings)
{
var handler = new JwtSecurityTokenHandler();
var securityToken = handler.CreateToken(new SecurityTokenDescriptor
{
Subject = identity,
Issuer = jwtSettings.Issuer,
Audience = jwtSettings.Audience,
IssuedAt = jwtSettings.IssuedAt,
NotBefore = jwtSettings.NotBefore,
Expires = jwtSettings.Expiration,
SigningCredentials = signingSettings.SigningCredentials
});
var encodedJwt = handler.WriteToken(securityToken);
return(new
{
access_token = encodedJwt,
token_type = JwtBearerDefaults.AuthenticationScheme.ToLower(),
expires_in = (int)jwtSettings.ValidFor.TotalSeconds,
});
}
private void UpdateNonceEnabled(SigningSettings settings)
{
settings.EnableNonce = _nonceEnabled;
}
