public void Wrap_Rfc7518_Appendix_C() { var salt = new byte[16] { 217, 96, 147, 112, 150, 117, 70, 247, 127, 8, 155, 137, 174, 42, 80, 215 }; var staticKey = new byte[] { 111, 27, 25, 52, 66, 29, 20, 78, 92, 176, 56, 240, 65, 208, 82, 112, 161, 131, 36, 55, 202, 236, 185, 172, 129, 23, 153, 194, 195, 48, 253, 182 }; var expectedEncryptedKey = new byte[] { 78, 186, 151, 59, 11, 141, 81, 240, 213, 245, 83, 211, 53, 188, 134, 188, 66, 125, 36, 200, 222, 124, 5, 103, 249, 52, 117, 184, 140, 81, 246, 158, 161, 177, 20, 33, 245, 57, 59, 4 }; var kwp = new Pbes2KeyWrapper( PasswordBasedJwk.FromPassphrase(_password), EncryptionAlgorithm.A128CbcHS256, KeyManagementAlgorithm.Pbes2HS256A128KW, 4096, (uint)salt.Length, new StubSaltGenerator(salt)); var header = new JwtHeader { { JwtHeaderParameterNames.Alg, KeyManagementAlgorithm.Pbes2HS256A128KW.Name }, { JwtHeaderParameterNames.Enc, EncryptionAlgorithm.A128CbcHS256.Name } }; var destination = new byte[kwp.GetKeyWrapSize()]; var cek = kwp.WrapKey(SymmetricJwk.FromByteArray(staticKey), header, destination); Assert.Equal(expectedEncryptedKey, destination); Assert.True(header.TryGetValue("p2s", out var jwtMember)); Assert.Equal("2WCTcJZ1Rvd_CJuJripQ1w", (string)jwtMember.Value); Assert.True(header.TryGetValue("p2c", out jwtMember)); Assert.Equal(4096u, (uint)jwtMember.Value); }
public void EncryptSimd_Decrypt(string value) { if (System.Runtime.Intrinsics.X86.Aes.IsSupported) { var data = Encoding.UTF8.GetBytes(value); var ciphertext = new Span <byte>(new byte[(data.Length + 16) & ~15]); var authenticationTag = new Span <byte>(new byte[48]); var plaintext = new Span <byte>(new byte[ciphertext.Length]); var key = SymmetricJwk.FromByteArray(Encoding.UTF8.GetBytes("ThisIsA128bitKey" + "ThisIsA128bitKey" + "ThisIsA128bitKey")); var nonce = Encoding.UTF8.GetBytes("ThisIsAnInitVect"); var encryptorNi = new AesCbcHmacEncryptor(EncryptionAlgorithm.A192CbcHS384, new Aes192CbcEncryptor()); encryptorNi.Encrypt(key.AsSpan(), data, nonce, nonce, ciphertext, authenticationTag, out int tagSize); var decryptor = new AesCbcHmacDecryptor(EncryptionAlgorithm.A192CbcHS384, new AesCbcDecryptor(EncryptionAlgorithm.A192CbcHS384)); bool decrypted = decryptor.TryDecrypt(key.K, ciphertext, nonce, nonce, authenticationTag.Slice(0, tagSize), plaintext, out int bytesWritten); Assert.True(decrypted); Assert.Equal(data, plaintext.Slice(0, bytesWritten).ToArray()); var decryptorNi = new AesCbcHmacDecryptor(EncryptionAlgorithm.A192CbcHS384, new Aes192CbcDecryptor()); plaintext.Clear(); decrypted = decryptorNi.TryDecrypt(key.K, ciphertext, nonce, nonce, authenticationTag.Slice(0, tagSize), plaintext, out bytesWritten); Assert.True(decrypted); Assert.Equal(data, plaintext.Slice(0, bytesWritten).ToArray()); Assert.Equal(24, tagSize); } }
private static DefaultAuditTrailStore CreateStore(string path) { return(new DefaultAuditTrailStore(Options.Create(new AuditTrailClientOptions { TemporaryStorageEncryptionKey = SymmetricJwk.FromByteArray(new byte[32]), TemporaryStoragePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) ?? Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), path) }), new TestLogger <DefaultAuditTrailStore>())); }
public void Wrap() { var staticKey = new byte[] { 111, 27, 25, 52, 66, 29, 20, 78, 92, 176, 56, 240, 65, 208, 82, 112, 161, 131, 36, 55, 202, 236, 185, 172, 129, 23, 153, 194, 195, 48, 253, 182 }; var kwp = new DirectKeyWrapper(SymmetricJwk.FromByteArray(staticKey), EncryptionAlgorithm.A128CbcHS256, KeyManagementAlgorithm.Dir); var header = new JwtHeader(); var destination = new byte[kwp.GetKeyWrapSize()]; var cek = kwp.WrapKey(null, header, destination); Assert.Equal(staticKey, cek.K.ToArray()); }
public void Unwrap() { var staticKey = new byte[] { 111, 27, 25, 52, 66, 29, 20, 78, 92, 176, 56, 240, 65, 208, 82, 112, 161, 131, 36, 55, 202, 236, 185, 172, 129, 23, 153, 194, 195, 48, 253, 182 }; var parsed = JwtHeaderDocument.TryParseHeader(Encoding.UTF8.GetBytes($"{{}}"), null, TokenValidationPolicy.NoValidation, out var jwtHeader, out var error); Assert.True(parsed); var kuwp = new DirectKeyUnwrapper(SymmetricJwk.FromByteArray(staticKey), EncryptionAlgorithm.A128CbcHS256, KeyManagementAlgorithm.Dir); byte[] unwrappedKey = new byte[kuwp.GetKeyUnwrapSize(staticKey.Length)]; var unwrapped = kuwp.TryUnwrapKey(default, unwrappedKey, jwtHeader, out _);
private static void ReadSymmetricKeyFromByteArray() { // The SymmetricJwk.FromBase64Url method accept a Base64-URL encoded string as input var binaryKey = new byte[32] { 71, 211, 50, 89, 161, 40, 202, 35, 24, 86, 37, 86, 163, 193, 100, 225, 53, 6, 90, 36, 168, 105, 110, 148, 214, 115, 170, 94, 184, 188, 253, 117 }; var binarySymmetricKey = SymmetricJwk.FromByteArray(binaryKey); binarySymmetricKey.Kid = "binary"; Console.WriteLine("JWK from byte array:"); Console.WriteLine(binarySymmetricKey); Console.WriteLine(); }
public void Decrypt_Empty() { Span <byte> data = default; Span <byte> authenticationTag = default; var plaintext = new byte[0]; var key = SymmetricJwk.FromByteArray(Encoding.UTF8.GetBytes("ThisIsA128bitKey" + "ThisIsA128bitKey")); Span <byte> nonce = default; Span <byte> associatedData = default; var decryptor = new AesCbcHmacDecryptor(EncryptionAlgorithm.A128CbcHS256); bool decrypted = decryptor.TryDecrypt(key.K, data, nonce, associatedData, authenticationTag, plaintext, out int bytesWritten); Assert.False(decrypted); Assert.Equal(0, bytesWritten); }
public static IHostBuilder CreateHostBuilder(string[] args) { return(Host.CreateDefaultBuilder(args) .ConfigureServices((hostContext, services) => { services .AddHostedService <Worker>() .AddAuditTrailClient(options => { options.DeliveryEndpoint = "https://localhost:5001/events"; options.TemporaryStorageEncryptionKey = SymmetricJwk.FromByteArray(new byte[32]); options.TokenClientOptions.Address = "https://demo.identityserver.io/connect/token"; options.TokenClientOptions.ClientId = "m2m"; options.TokenClientOptions.ClientSecret = "secret"; }); })); }
private static IHostBuilder CreateHostBuilder(TestHttpMessageHandler handler) { return(Host.CreateDefaultBuilder() .ConfigureServices((hostContext, services) => { services .AddAuditTrailClient(o => { o.DeliveryEndpoint = "https://example.com/events/"; o.TemporaryStorageEncryptionKey = SymmetricJwk.FromByteArray(new byte[32]); }) .ConfigurePrimaryHttpMessageHandler(() => handler) .ConfigureHttpClient(builder => { }); services.Replace(new ServiceDescriptor(typeof(IAccessTokenAcquirer), typeof(NullTokenAcquirer), ServiceLifetime.Singleton)); })); }
private async Task <Jwk[]> GetKeysAsync() { var keys = new List <Jwk>(); await foreach (var keyProperties in _client.GetPropertiesOfKeysAsync()) { var kvKey = await _client.GetKeyAsync(keyProperties.Name); Jwk?key = null; if (kvKey.Value.KeyType == KeyType.Oct) { key = SymmetricJwk.FromByteArray(kvKey.Value.Key.K, false); } else if (kvKey.Value.KeyType == KeyType.Rsa || kvKey.Value.KeyType == KeyType.RsaHsm) { key = RsaJwk.FromParameters(kvKey.Value.Key.ToRSA(true).ExportParameters(true), false); } #if !NETFRAMEWORK else if (kvKey.Value.KeyType == KeyType.Ec || kvKey.Value.KeyType == KeyType.EcHsm) { ECJwk.FromParameters(ConvertToECParameters(kvKey.Value), computeThumbprint: false); } #endif if (!(key is null)) { key.Kid = JsonEncodedText.Encode(kvKey.Value.Key.Id); if (kvKey.Value.Key.KeyOps != null) { foreach (var operation in kvKey.Value.Key.KeyOps) { key.KeyOps.Add(JsonEncodedText.Encode(operation.ToString())); } } keys.Add(key); } } return(keys.ToArray()); }
protected override Jwks GetKeysFromSource() { var keys = new List <Jwk>(); foreach (var keyProperties in _client.GetPropertiesOfKeys()) { var kvKey = _client.GetKey(keyProperties.Name); Jwk?key = null; if (kvKey.Value.KeyType == KeyType.Oct) { key = SymmetricJwk.FromByteArray(kvKey.Value.Key.K, false); } else if (kvKey.Value.KeyType == KeyType.Rsa || kvKey.Value.KeyType == KeyType.RsaHsm) { key = RsaJwk.FromParameters(kvKey.Value.Key.ToRSA(true).ExportParameters(true), false); } #if !NETFRAMEWORK else if (kvKey.Value.KeyType == KeyType.Ec || kvKey.Value.KeyType == KeyType.EcHsm) { ECJwk.FromParameters(ConvertToECParameters(kvKey.Value), computeThumbprint: false); } #endif if (!(key is null)) { key.Kid = JsonEncodedText.Encode(kvKey.Value.Key.Id); if (kvKey.Value.Key.KeyOps != null) { foreach (var operation in kvKey.Value.Key.KeyOps) { key.KeyOps.Add(JsonEncodedText.Encode(operation.ToString())); } } keys.Add(key); } } return(new Jwks(_client.VaultUri.ToString(), keys)); }
public void Decrypt_Empty() { if (System.Runtime.Intrinsics.X86.Aes.IsSupported) { Span <byte> data = default; Span <byte> authenticationTag = default; var plaintext = new byte[0]; var key = SymmetricJwk.FromByteArray(Encoding.UTF8.GetBytes("ThisIsA128bitKey" + "ThisIsA128bitKey" + "ThisIsA128bitKey")); Span <byte> nonce = default; Span <byte> associatedData = default; var decryptor = new AesCbcHmacDecryptor(EncryptionAlgorithm.A192CbcHS384); bool decrypted = decryptor.TryDecrypt(key.K, data, nonce, associatedData, authenticationTag, plaintext, out int bytesWritten); Assert.False(decrypted); Assert.Equal(0, bytesWritten); var decryptorNi = new AesCbcHmacDecryptor(EncryptionAlgorithm.A192CbcHS384, new Aes192CbcDecryptor()); decrypted = decryptorNi.TryDecrypt(key.K, data, nonce, associatedData, authenticationTag, plaintext, out bytesWritten); Assert.False(decrypted); Assert.Equal(0, bytesWritten); } }
private static SecEventDescriptor CreateDescriptor() { var descriptor = new SecEventDescriptor(SymmetricJwk.FromByteArray(new byte[16]), SignatureAlgorithm.HS256) { Payload = new JwtPayload { { "iss", "https://client.example.com" }, { "iat", EpochTime.UtcNow }, { "jti", "4d3559ec67504aaba65d40b0363faad8" }, { "aud", new[] { "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754", "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7" } }, { "events", new JsonObject { { "urn:ietf:params:scim:event:create", new JsonObject { { "ref", "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9" }, { "attributes", new object[] { "id", "name", "userName", "password", "emails" } } } } } } } }; return(descriptor); }
private static Jwk GetJwk() => SymmetricJwk.FromByteArray(Encoding.UTF8.GetBytes(new string('a', 128)));