public void ShouldGetCurrentToSignAndValidateJws(string algorithm, KeyType keyType)
{
var options = new JwksOptions()
{
Jws = JwsAlgorithm.Create(algorithm, keyType), KeyPrefix = $"{nameof(JsonWebKeySetServiceTests)}_"
};
_jwksService.GenerateSigningCredentials(options);
var signingCredentials = _jwksService.GetCurrentSigningCredentials();
var handler = new JsonWebTokenHandler();
var now = DateTime.Now;
var descriptor = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(5),
Subject = new ClaimsIdentity(GenerateClaim().Generate(5)),
SigningCredentials = signingCredentials
};
var jwt = handler.CreateToken(descriptor);
var result = handler.ValidateToken(jwt,
new TokenValidationParameters
{
ValidIssuer = "me",
ValidAudience = "you",
IssuerSigningKey = signingCredentials.Key
});
result.IsValid.Should().BeTrue();
}
public void ShouldValidateJwe(string algorithm, KeyType keyType, string encryption)
{
var options = new JwksOptions()
{
KeyPrefix = $"{nameof(JsonWebKeySetServiceTests)}_",
Jwe = JweAlgorithm.Create(algorithm, keyType).WithEncryption(encryption)
};
var encryptingCredentials = _jwksService.GenerateEncryptingCredentials(options);
var handler = new JsonWebTokenHandler();
var now = DateTime.Now;
var jwt = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(5),
Subject = new ClaimsIdentity(GenerateClaim().Generate(5)),
EncryptingCredentials = encryptingCredentials
};
var jwe = handler.CreateToken(jwt);
var result = handler.ValidateToken(jwe,
new TokenValidationParameters
{
ValidIssuer = "me",
ValidAudience = "you",
RequireSignedTokens = false,
TokenDecryptionKey = encryptingCredentials.Key
});
result.IsValid.Should().BeTrue();
}
private bool CheckCompatibility(SecurityKeyWithPrivate currentKey, JwksOptions options)
{
if (options == null)
{
options = _options.Value;
}
if (currentKey.JwkType == JsonWebKeyType.Jws)
{
if (currentKey.JwsAlgorithm == options.Jws)
{
return(true);
}
GenerateSigningCredentials(options);
}
if (currentKey.JwkType == JsonWebKeyType.Jwe)
{
if (currentKey.JweAlgorithm == options.Jwe)
{
return(true);
}
GenerateEncryptingCredentials(options);
}
return(false);
}
public void ShouldGenerateCurrentBasedInOptions(string algorithm, KeyType keyType)
{
_database.SecurityKeys.RemoveRange(_database.SecurityKeys.ToList());
_database.SaveChanges();
var options = new JwksOptions()
{
Algorithm = Algorithm.Create(algorithm, keyType)
};
var newKey = _keyService.GetCurrent(options);
newKey.Algorithm.Should().Be(algorithm);
}
public void ShouldSaveCryptoInDatabase(string algorithm, KeyType keyType)
{
_database.SecurityKeys.RemoveRange(_database.SecurityKeys.ToList());
_database.SaveChanges();
var options = new JwksOptions()
{
Algorithm = Algorithm.Create(algorithm, keyType)
};
_keyService.GetCurrent(options);
_database.SecurityKeys.Count().Should().BePositive();
}
public SigningCredentials Generate(JwksOptions options = null)
{
if (options == null)
{
options = _options.Value;
}
var key = _jwkService.Generate(options.Algorithm);
var t = new SecurityKeyWithPrivate();
t.SetParameters(key, options.Algorithm);
_store.Save(t);
return(new SigningCredentials(key, options.Algorithm));
}
public void ShouldSaveCryptoAndRecover(string algorithm, KeyType keyType)
{
var options = new JwksOptions()
{
Algorithm = Algorithm.Create(algorithm, keyType)
};
var newKey = _keyService.GetCurrent(options);
_keyService.GetLastKeysCredentials(5).Count.Should().BePositive();
var currentKey = _keyService.GetCurrent(options);
newKey.Kid.Should().Be(currentKey.Kid);
}
public EncryptingCredentials GenerateEncryptingCredentials(JwksOptions options = null)
{
if (options == null)
{
options = _options.Value;
}
var key = _jwkService.Generate(options.Jwe);
var t = new SecurityKeyWithPrivate();
t.SetJweParameters(key, options.Jwe);
_store.Save(t);
return(new EncryptingCredentials(key, options.Jwe, options.Jwe.Encryption));
}
private bool CheckCompatibility(SecurityKeyWithPrivate currentKey, JwksOptions options)
{
if (options == null)
{
options = _options.Value;
}
if (currentKey.Algorithm == options.Algorithm)
{
return(true);
}
Generate(options);
return(false);
}
public void ShouldSaveDeterministicJwkRecoverAndSigning(string algorithm, KeyType keyType)
{
_database.SecurityKeys.RemoveRange(_database.SecurityKeys.ToList());
_database.SaveChanges();
var options = new JwksOptions()
{
Algorithm = Algorithm.Create(algorithm, keyType)
};
var handler = new JsonWebTokenHandler();
var now = DateTime.Now;
// Generate right now and in memory
var newKey = _keyService.GetCurrent(options);
// recovered from database
var currentKey = _keyService.GetCurrent(options);
newKey.Kid.Should().Be(currentKey.Kid);
var claims = new ClaimsIdentity(GenerateClaim().Generate(5));
var descriptor = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(5),
Subject = claims,
SigningCredentials = newKey
};
var descriptorFromDb = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(5),
Subject = claims,
SigningCredentials = currentKey
};
var jwt1 = handler.CreateToken(descriptor);
var jwt2 = handler.CreateToken(descriptorFromDb);
jwt1.Should().Be(jwt2);
}
/// <summary>
/// If current doesn't exist will generate new one
/// </summary>
public SigningCredentials GetCurrent(JwksOptions options = null)
{
if (_store.NeedsUpdate())
{
// According NIST - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf - Private key should be removed when no longer needs
RemovePrivateKeys();
return(Generate(options));
}
var currentKey = _store.GetCurrentKey();
// options has change. Change current key
if (!CheckCompatibility(currentKey, options))
{
currentKey = _store.GetCurrentKey();
}
return(currentKey.GetSigningCredentials());
}
public void ShouldGenerateAndValidateJweAndJws()
{
this.WarmupData.Clear();
var options = new JwksOptions()
{
};
var handler = new JsonWebTokenHandler();
var now = DateTime.Now;
// Generate right now and in memory
var newKey = _keyService.GetCurrentEncryptingCredentials(options);
// recovered from database
var encryptingCredentials = _keyService.GetCurrentEncryptingCredentials(options);
var signingCredentials = _keyService.GetCurrentSigningCredentials(options);
var claims = new ClaimsIdentity(GenerateClaim().Generate(5));
var descriptorJws = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(5),
Subject = claims,
SigningCredentials = signingCredentials
};
var descriptorJwe = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(5),
Subject = claims,
EncryptingCredentials = encryptingCredentials
};
var jws = handler.CreateToken(descriptorJws);
var jwe = handler.CreateToken(descriptorJwe);
var result = handler.ValidateToken(jws,
new TokenValidationParameters
{
ValidIssuer = "me",
ValidAudience = "you",
IssuerSigningKey = signingCredentials.Key
});
result.IsValid.Should().BeTrue();
result = handler.ValidateToken(jwe,
new TokenValidationParameters
{
ValidIssuer = "me",
ValidAudience = "you",
RequireSignedTokens = false,
TokenDecryptionKey = encryptingCredentials.Key
});
result.IsValid.Should().BeTrue();
}
public void ShouldSaveJweRecoverAndEncrypt(string algorithm, KeyType keyType, string encryption)
{
this.WarmupData.Clear();
var options = new JwksOptions()
{
Jwe = JweAlgorithm.Create(algorithm, keyType).WithEncryption(encryption)
};
var handler = new JsonWebTokenHandler();
var now = DateTime.Now;
// Generate right now and in memory
var newKey = _keyService.GetCurrentEncryptingCredentials(options);
// recovered from database
var currentKey = _keyService.GetCurrentEncryptingCredentials(options);
newKey.Key.KeyId.Should().Be(currentKey.Key.KeyId);
var claims = new ClaimsIdentity(GenerateClaim().Generate(5));
var descriptor = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(5),
Subject = claims,
EncryptingCredentials = newKey
};
var descriptorFromDb = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
IssuedAt = now,
NotBefore = now,
Expires = now.AddMinutes(5),
Subject = claims,
EncryptingCredentials = currentKey
};
var jwt1 = handler.CreateToken(descriptor);
var jwt2 = handler.CreateToken(descriptorFromDb);
var result = handler.ValidateToken(jwt1,
new TokenValidationParameters
{
ValidIssuer = "me",
ValidAudience = "you",
RequireSignedTokens = false,
TokenDecryptionKey = currentKey.Key
});
result.IsValid.Should().BeTrue();
result = handler.ValidateToken(jwt2,
new TokenValidationParameters
{
ValidIssuer = "me",
ValidAudience = "you",
RequireSignedTokens = false,
TokenDecryptionKey = currentKey.Key
});
result.IsValid.Should().BeTrue();
}
