public void Wrap_Rfc7518_Appendix_C()
{
var salt = new byte[16] {
217, 96, 147, 112, 150, 117, 70, 247, 127, 8, 155, 137, 174, 42, 80, 215
};
var staticKey = new byte[] { 111, 27, 25, 52, 66, 29, 20, 78, 92, 176, 56, 240, 65, 208, 82, 112, 161, 131, 36, 55, 202, 236, 185, 172, 129, 23, 153, 194, 195, 48, 253, 182 };
var expectedEncryptedKey = new byte[] { 78, 186, 151, 59, 11, 141, 81, 240, 213, 245, 83, 211, 53, 188, 134, 188, 66, 125, 36, 200, 222, 124, 5, 103, 249, 52, 117, 184, 140, 81, 246, 158, 161, 177, 20, 33, 245, 57, 59, 4 };
var kwp = new Pbes2KeyWrapper(
PasswordBasedJwk.FromPassphrase(_password),
EncryptionAlgorithm.A128CbcHS256,
KeyManagementAlgorithm.Pbes2HS256A128KW,
4096,
(uint)salt.Length,
new StubSaltGenerator(salt));
var header = new JwtHeader
{
{ JwtHeaderParameterNames.Alg, KeyManagementAlgorithm.Pbes2HS256A128KW.Name },
{ JwtHeaderParameterNames.Enc, EncryptionAlgorithm.A128CbcHS256.Name }
};
var destination = new byte[kwp.GetKeyWrapSize()];
var cek = kwp.WrapKey(SymmetricJwk.FromByteArray(staticKey), header, destination);
Assert.Equal(expectedEncryptedKey, destination);
Assert.True(header.TryGetValue("p2s", out var jwtMember));
Assert.Equal("2WCTcJZ1Rvd_CJuJripQ1w", (string)jwtMember.Value);
Assert.True(header.TryGetValue("p2c", out jwtMember));
Assert.Equal(4096u, (uint)jwtMember.Value);
}
public void EncryptSimd_Decrypt(string value)
{
if (System.Runtime.Intrinsics.X86.Aes.IsSupported)
{
var data = Encoding.UTF8.GetBytes(value);
var ciphertext = new Span <byte>(new byte[(data.Length + 16) & ~15]);
var authenticationTag = new Span <byte>(new byte[48]);
var plaintext = new Span <byte>(new byte[ciphertext.Length]);
var key = SymmetricJwk.FromByteArray(Encoding.UTF8.GetBytes("ThisIsA128bitKey" + "ThisIsA128bitKey" + "ThisIsA128bitKey"));
var nonce = Encoding.UTF8.GetBytes("ThisIsAnInitVect");
var encryptorNi = new AesCbcHmacEncryptor(EncryptionAlgorithm.A192CbcHS384, new Aes192CbcEncryptor());
encryptorNi.Encrypt(key.AsSpan(), data, nonce, nonce, ciphertext, authenticationTag, out int tagSize);
var decryptor = new AesCbcHmacDecryptor(EncryptionAlgorithm.A192CbcHS384, new AesCbcDecryptor(EncryptionAlgorithm.A192CbcHS384));
bool decrypted = decryptor.TryDecrypt(key.K, ciphertext, nonce, nonce, authenticationTag.Slice(0, tagSize), plaintext, out int bytesWritten);
Assert.True(decrypted);
Assert.Equal(data, plaintext.Slice(0, bytesWritten).ToArray());
var decryptorNi = new AesCbcHmacDecryptor(EncryptionAlgorithm.A192CbcHS384, new Aes192CbcDecryptor());
plaintext.Clear();
decrypted = decryptorNi.TryDecrypt(key.K, ciphertext, nonce, nonce, authenticationTag.Slice(0, tagSize), plaintext, out bytesWritten);
Assert.True(decrypted);
Assert.Equal(data, plaintext.Slice(0, bytesWritten).ToArray());
Assert.Equal(24, tagSize);
}
}
private static DefaultAuditTrailStore CreateStore(string path)
{
return(new DefaultAuditTrailStore(Options.Create(new AuditTrailClientOptions
{
TemporaryStorageEncryptionKey = SymmetricJwk.FromByteArray(new byte[32]),
TemporaryStoragePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) ?? Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), path)
}), new TestLogger <DefaultAuditTrailStore>()));
}
public void Wrap()
{
var staticKey = new byte[] { 111, 27, 25, 52, 66, 29, 20, 78, 92, 176, 56, 240, 65, 208, 82, 112, 161, 131, 36, 55, 202, 236, 185, 172, 129, 23, 153, 194, 195, 48, 253, 182 };
var kwp = new DirectKeyWrapper(SymmetricJwk.FromByteArray(staticKey), EncryptionAlgorithm.A128CbcHS256, KeyManagementAlgorithm.Dir);
var header = new JwtHeader();
var destination = new byte[kwp.GetKeyWrapSize()];
var cek = kwp.WrapKey(null, header, destination);
Assert.Equal(staticKey, cek.K.ToArray());
}
public void Unwrap()
{
var staticKey = new byte[] { 111, 27, 25, 52, 66, 29, 20, 78, 92, 176, 56, 240, 65, 208, 82, 112, 161, 131, 36, 55, 202, 236, 185, 172, 129, 23, 153, 194, 195, 48, 253, 182 };
var parsed = JwtHeaderDocument.TryParseHeader(Encoding.UTF8.GetBytes($"{{}}"), null, TokenValidationPolicy.NoValidation, out var jwtHeader, out var error);
Assert.True(parsed);
var kuwp = new DirectKeyUnwrapper(SymmetricJwk.FromByteArray(staticKey), EncryptionAlgorithm.A128CbcHS256, KeyManagementAlgorithm.Dir);
byte[] unwrappedKey = new byte[kuwp.GetKeyUnwrapSize(staticKey.Length)];
var unwrapped = kuwp.TryUnwrapKey(default, unwrappedKey, jwtHeader, out _);
private static void ReadSymmetricKeyFromByteArray()
{
// The SymmetricJwk.FromBase64Url method accept a Base64-URL encoded string as input
var binaryKey = new byte[32] {
71, 211, 50, 89, 161, 40, 202, 35, 24, 86, 37, 86, 163, 193, 100, 225, 53, 6, 90, 36, 168, 105, 110, 148, 214, 115, 170, 94, 184, 188, 253, 117
};
var binarySymmetricKey = SymmetricJwk.FromByteArray(binaryKey);
binarySymmetricKey.Kid = "binary";
Console.WriteLine("JWK from byte array:");
Console.WriteLine(binarySymmetricKey);
Console.WriteLine();
}
public void Decrypt_Empty()
{
Span <byte> data = default;
Span <byte> authenticationTag = default;
var plaintext = new byte[0];
var key = SymmetricJwk.FromByteArray(Encoding.UTF8.GetBytes("ThisIsA128bitKey" + "ThisIsA128bitKey"));
Span <byte> nonce = default;
Span <byte> associatedData = default;
var decryptor = new AesCbcHmacDecryptor(EncryptionAlgorithm.A128CbcHS256);
bool decrypted = decryptor.TryDecrypt(key.K, data, nonce, associatedData, authenticationTag, plaintext, out int bytesWritten);
Assert.False(decrypted);
Assert.Equal(0, bytesWritten);
}
public static IHostBuilder CreateHostBuilder(string[] args)
{
return(Host.CreateDefaultBuilder(args)
.ConfigureServices((hostContext, services) =>
{
services
.AddHostedService <Worker>()
.AddAuditTrailClient(options =>
{
options.DeliveryEndpoint = "https://localhost:5001/events";
options.TemporaryStorageEncryptionKey = SymmetricJwk.FromByteArray(new byte[32]);
options.TokenClientOptions.Address = "https://demo.identityserver.io/connect/token";
options.TokenClientOptions.ClientId = "m2m";
options.TokenClientOptions.ClientSecret = "secret";
});
}));
}
private static IHostBuilder CreateHostBuilder(TestHttpMessageHandler handler)
{
return(Host.CreateDefaultBuilder()
.ConfigureServices((hostContext, services) =>
{
services
.AddAuditTrailClient(o =>
{
o.DeliveryEndpoint = "https://example.com/events/";
o.TemporaryStorageEncryptionKey = SymmetricJwk.FromByteArray(new byte[32]);
})
.ConfigurePrimaryHttpMessageHandler(() => handler)
.ConfigureHttpClient(builder =>
{
});
services.Replace(new ServiceDescriptor(typeof(IAccessTokenAcquirer), typeof(NullTokenAcquirer), ServiceLifetime.Singleton));
}));
}
private async Task <Jwk[]> GetKeysAsync()
{
var keys = new List <Jwk>();
await foreach (var keyProperties in _client.GetPropertiesOfKeysAsync())
{
var kvKey = await _client.GetKeyAsync(keyProperties.Name);
Jwk?key = null;
if (kvKey.Value.KeyType == KeyType.Oct)
{
key = SymmetricJwk.FromByteArray(kvKey.Value.Key.K, false);
}
else if (kvKey.Value.KeyType == KeyType.Rsa || kvKey.Value.KeyType == KeyType.RsaHsm)
{
key = RsaJwk.FromParameters(kvKey.Value.Key.ToRSA(true).ExportParameters(true), false);
}
#if !NETFRAMEWORK
else if (kvKey.Value.KeyType == KeyType.Ec || kvKey.Value.KeyType == KeyType.EcHsm)
{
ECJwk.FromParameters(ConvertToECParameters(kvKey.Value), computeThumbprint: false);
}
#endif
if (!(key is null))
{
key.Kid = JsonEncodedText.Encode(kvKey.Value.Key.Id);
if (kvKey.Value.Key.KeyOps != null)
{
foreach (var operation in kvKey.Value.Key.KeyOps)
{
key.KeyOps.Add(JsonEncodedText.Encode(operation.ToString()));
}
}
keys.Add(key);
}
}
return(keys.ToArray());
}
protected override Jwks GetKeysFromSource()
{
var keys = new List <Jwk>();
foreach (var keyProperties in _client.GetPropertiesOfKeys())
{
var kvKey = _client.GetKey(keyProperties.Name);
Jwk?key = null;
if (kvKey.Value.KeyType == KeyType.Oct)
{
key = SymmetricJwk.FromByteArray(kvKey.Value.Key.K, false);
}
else if (kvKey.Value.KeyType == KeyType.Rsa || kvKey.Value.KeyType == KeyType.RsaHsm)
{
key = RsaJwk.FromParameters(kvKey.Value.Key.ToRSA(true).ExportParameters(true), false);
}
#if !NETFRAMEWORK
else if (kvKey.Value.KeyType == KeyType.Ec || kvKey.Value.KeyType == KeyType.EcHsm)
{
ECJwk.FromParameters(ConvertToECParameters(kvKey.Value), computeThumbprint: false);
}
#endif
if (!(key is null))
{
key.Kid = JsonEncodedText.Encode(kvKey.Value.Key.Id);
if (kvKey.Value.Key.KeyOps != null)
{
foreach (var operation in kvKey.Value.Key.KeyOps)
{
key.KeyOps.Add(JsonEncodedText.Encode(operation.ToString()));
}
}
keys.Add(key);
}
}
return(new Jwks(_client.VaultUri.ToString(), keys));
}
public void Decrypt_Empty()
{
if (System.Runtime.Intrinsics.X86.Aes.IsSupported)
{
Span <byte> data = default;
Span <byte> authenticationTag = default;
var plaintext = new byte[0];
var key = SymmetricJwk.FromByteArray(Encoding.UTF8.GetBytes("ThisIsA128bitKey" + "ThisIsA128bitKey" + "ThisIsA128bitKey"));
Span <byte> nonce = default;
Span <byte> associatedData = default;
var decryptor = new AesCbcHmacDecryptor(EncryptionAlgorithm.A192CbcHS384);
bool decrypted = decryptor.TryDecrypt(key.K, data, nonce, associatedData, authenticationTag, plaintext, out int bytesWritten);
Assert.False(decrypted);
Assert.Equal(0, bytesWritten);
var decryptorNi = new AesCbcHmacDecryptor(EncryptionAlgorithm.A192CbcHS384, new Aes192CbcDecryptor());
decrypted = decryptorNi.TryDecrypt(key.K, data, nonce, associatedData, authenticationTag, plaintext, out bytesWritten);
Assert.False(decrypted);
Assert.Equal(0, bytesWritten);
}
}
private static SecEventDescriptor CreateDescriptor()
{
var descriptor = new SecEventDescriptor(SymmetricJwk.FromByteArray(new byte[16]), SignatureAlgorithm.HS256)
{
Payload = new JwtPayload
{
{ "iss", "https://client.example.com" },
{ "iat", EpochTime.UtcNow },
{ "jti", "4d3559ec67504aaba65d40b0363faad8" },
{ "aud", new[] { "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754", "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7" } },
{ "events", new JsonObject
{
{ "urn:ietf:params:scim:event:create", new JsonObject
{
{ "ref", "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9" },
{ "attributes", new object[] { "id", "name", "userName", "password", "emails" } }
} }
} }
}
};
return(descriptor);
}
private static Jwk GetJwk()
=> SymmetricJwk.FromByteArray(Encoding.UTF8.GetBytes(new string('a', 128)));
