public void ShouldGetCurrentToSignAndValidateJws(string algorithm, KeyType keyType) { var options = new JwksOptions() { Jws = JwsAlgorithm.Create(algorithm, keyType), KeyPrefix = $"{nameof(JsonWebKeySetServiceTests)}_" }; _jwksService.GenerateSigningCredentials(options); var signingCredentials = _jwksService.GetCurrentSigningCredentials(); var handler = new JsonWebTokenHandler(); var now = DateTime.Now; var descriptor = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = new ClaimsIdentity(GenerateClaim().Generate(5)), SigningCredentials = signingCredentials }; var jwt = handler.CreateToken(descriptor); var result = handler.ValidateToken(jwt, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", IssuerSigningKey = signingCredentials.Key }); result.IsValid.Should().BeTrue(); }
public void ShouldValidateJwe(string algorithm, KeyType keyType, string encryption) { var options = new JwksOptions() { KeyPrefix = $"{nameof(JsonWebKeySetServiceTests)}_", Jwe = JweAlgorithm.Create(algorithm, keyType).WithEncryption(encryption) }; var encryptingCredentials = _jwksService.GenerateEncryptingCredentials(options); var handler = new JsonWebTokenHandler(); var now = DateTime.Now; var jwt = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = new ClaimsIdentity(GenerateClaim().Generate(5)), EncryptingCredentials = encryptingCredentials }; var jwe = handler.CreateToken(jwt); var result = handler.ValidateToken(jwe, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", RequireSignedTokens = false, TokenDecryptionKey = encryptingCredentials.Key }); result.IsValid.Should().BeTrue(); }
private bool CheckCompatibility(SecurityKeyWithPrivate currentKey, JwksOptions options) { if (options == null) { options = _options.Value; } if (currentKey.JwkType == JsonWebKeyType.Jws) { if (currentKey.JwsAlgorithm == options.Jws) { return(true); } GenerateSigningCredentials(options); } if (currentKey.JwkType == JsonWebKeyType.Jwe) { if (currentKey.JweAlgorithm == options.Jwe) { return(true); } GenerateEncryptingCredentials(options); } return(false); }
public void ShouldGenerateCurrentBasedInOptions(string algorithm, KeyType keyType) { _database.SecurityKeys.RemoveRange(_database.SecurityKeys.ToList()); _database.SaveChanges(); var options = new JwksOptions() { Algorithm = Algorithm.Create(algorithm, keyType) }; var newKey = _keyService.GetCurrent(options); newKey.Algorithm.Should().Be(algorithm); }
public void ShouldSaveCryptoInDatabase(string algorithm, KeyType keyType) { _database.SecurityKeys.RemoveRange(_database.SecurityKeys.ToList()); _database.SaveChanges(); var options = new JwksOptions() { Algorithm = Algorithm.Create(algorithm, keyType) }; _keyService.GetCurrent(options); _database.SecurityKeys.Count().Should().BePositive(); }
public SigningCredentials Generate(JwksOptions options = null) { if (options == null) { options = _options.Value; } var key = _jwkService.Generate(options.Algorithm); var t = new SecurityKeyWithPrivate(); t.SetParameters(key, options.Algorithm); _store.Save(t); return(new SigningCredentials(key, options.Algorithm)); }
public void ShouldSaveCryptoAndRecover(string algorithm, KeyType keyType) { var options = new JwksOptions() { Algorithm = Algorithm.Create(algorithm, keyType) }; var newKey = _keyService.GetCurrent(options); _keyService.GetLastKeysCredentials(5).Count.Should().BePositive(); var currentKey = _keyService.GetCurrent(options); newKey.Kid.Should().Be(currentKey.Kid); }
public EncryptingCredentials GenerateEncryptingCredentials(JwksOptions options = null) { if (options == null) { options = _options.Value; } var key = _jwkService.Generate(options.Jwe); var t = new SecurityKeyWithPrivate(); t.SetJweParameters(key, options.Jwe); _store.Save(t); return(new EncryptingCredentials(key, options.Jwe, options.Jwe.Encryption)); }
private bool CheckCompatibility(SecurityKeyWithPrivate currentKey, JwksOptions options) { if (options == null) { options = _options.Value; } if (currentKey.Algorithm == options.Algorithm) { return(true); } Generate(options); return(false); }
public void ShouldSaveDeterministicJwkRecoverAndSigning(string algorithm, KeyType keyType) { _database.SecurityKeys.RemoveRange(_database.SecurityKeys.ToList()); _database.SaveChanges(); var options = new JwksOptions() { Algorithm = Algorithm.Create(algorithm, keyType) }; var handler = new JsonWebTokenHandler(); var now = DateTime.Now; // Generate right now and in memory var newKey = _keyService.GetCurrent(options); // recovered from database var currentKey = _keyService.GetCurrent(options); newKey.Kid.Should().Be(currentKey.Kid); var claims = new ClaimsIdentity(GenerateClaim().Generate(5)); var descriptor = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = claims, SigningCredentials = newKey }; var descriptorFromDb = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = claims, SigningCredentials = currentKey }; var jwt1 = handler.CreateToken(descriptor); var jwt2 = handler.CreateToken(descriptorFromDb); jwt1.Should().Be(jwt2); }
/// <summary> /// If current doesn't exist will generate new one /// </summary> public SigningCredentials GetCurrent(JwksOptions options = null) { if (_store.NeedsUpdate()) { // According NIST - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf - Private key should be removed when no longer needs RemovePrivateKeys(); return(Generate(options)); } var currentKey = _store.GetCurrentKey(); // options has change. Change current key if (!CheckCompatibility(currentKey, options)) { currentKey = _store.GetCurrentKey(); } return(currentKey.GetSigningCredentials()); }
public void ShouldGenerateAndValidateJweAndJws() { this.WarmupData.Clear(); var options = new JwksOptions() { }; var handler = new JsonWebTokenHandler(); var now = DateTime.Now; // Generate right now and in memory var newKey = _keyService.GetCurrentEncryptingCredentials(options); // recovered from database var encryptingCredentials = _keyService.GetCurrentEncryptingCredentials(options); var signingCredentials = _keyService.GetCurrentSigningCredentials(options); var claims = new ClaimsIdentity(GenerateClaim().Generate(5)); var descriptorJws = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = claims, SigningCredentials = signingCredentials }; var descriptorJwe = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = claims, EncryptingCredentials = encryptingCredentials }; var jws = handler.CreateToken(descriptorJws); var jwe = handler.CreateToken(descriptorJwe); var result = handler.ValidateToken(jws, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", IssuerSigningKey = signingCredentials.Key }); result.IsValid.Should().BeTrue(); result = handler.ValidateToken(jwe, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", RequireSignedTokens = false, TokenDecryptionKey = encryptingCredentials.Key }); result.IsValid.Should().BeTrue(); }
public void ShouldSaveJweRecoverAndEncrypt(string algorithm, KeyType keyType, string encryption) { this.WarmupData.Clear(); var options = new JwksOptions() { Jwe = JweAlgorithm.Create(algorithm, keyType).WithEncryption(encryption) }; var handler = new JsonWebTokenHandler(); var now = DateTime.Now; // Generate right now and in memory var newKey = _keyService.GetCurrentEncryptingCredentials(options); // recovered from database var currentKey = _keyService.GetCurrentEncryptingCredentials(options); newKey.Key.KeyId.Should().Be(currentKey.Key.KeyId); var claims = new ClaimsIdentity(GenerateClaim().Generate(5)); var descriptor = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = claims, EncryptingCredentials = newKey }; var descriptorFromDb = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = claims, EncryptingCredentials = currentKey }; var jwt1 = handler.CreateToken(descriptor); var jwt2 = handler.CreateToken(descriptorFromDb); var result = handler.ValidateToken(jwt1, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", RequireSignedTokens = false, TokenDecryptionKey = currentKey.Key }); result.IsValid.Should().BeTrue(); result = handler.ValidateToken(jwt2, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", RequireSignedTokens = false, TokenDecryptionKey = currentKey.Key }); result.IsValid.Should().BeTrue(); }