コード例 #1
0
        /// <summary>
        /// Encrypts given binary plaintext using JWE and applies requested encryption/compression algorithms.
        /// </summary>
        /// <param name="plaintext">Binary data to encrypt (not null)</param>
        /// <param name="recipients">The details of who to encrypt the plaintext (or rather the CEK) to.</param>
        /// <param name="enc">encryption algorithm to be used to encrypt the plaintext.</param>
        /// <param name="aad">additional authentication data (SerializationMode.Json only)</param>
        /// <param name="mode">serialization mode to use. Note only one recipient can be specified for compact and flattened json serialization.</param>
        /// <param name="compression">optional compression type to use.</param>
        /// <param name="extraProtectedHeaders">optional extra headers to put in the protected header.</param>
        /// <param name="unprotectedHeaders">optional unprotected headers</param>
        /// <param name="settings">optional settings to override global DefaultSettings</param>
        /// <returns>JWT in compact serialization form, encrypted and/or compressed.</returns>
        public static string EncryptBytes(byte[] plaintext, IEnumerable <JweRecipient> recipients, JweEncryption enc, byte[] aad = null, SerializationMode mode = SerializationMode.Json, JweCompression?compression = null, IDictionary <string, object> extraProtectedHeaders = null, IDictionary <string, object> unprotectedHeaders = null, JwtSettings settings = null)
        {
            if (plaintext == null)
            {
                throw new ArgumentNullException(nameof(plaintext));
            }

            settings = GetSettings(settings);
            IJweAlgorithm _enc = settings.Jwe(enc);

            if (_enc == null)
            {
                throw new JoseException(string.Format("Unsupported JWE enc requested: {0}", enc));
            }

            IDictionary <string, object> joseProtectedHeader = Dictionaries.MergeHeaders(
                new Dictionary <string, object> {
                { "enc", settings.JweHeaderValue(enc) }
            },
                extraProtectedHeaders);

            byte[] cek = null;

            var recipientsOut = new List <JweRecipient>();

            foreach (var recipient in recipients)
            {
                IKeyManagement keys = settings.Jwa(recipient.Alg);

                if (keys == null)
                {
                    throw new JoseException(string.Format("Unsupported JWE alg requested: {0}", recipient.Alg));
                }

                // joseHeader - is merge of headers
                // - key management will read from (e.g. enc,apv,apu - ECDH-ES)
                // - key management will write to (e.g. iv, tag - AesGcmKW)
                IDictionary <string, object> joseHeader = Dictionaries.MergeHeaders(
                    joseProtectedHeader,
                    new Dictionary <string, object> {
                    { "alg", settings.JwaHeaderValue(recipient.Alg) }
                },
                    recipient.Header,
                    unprotectedHeaders
                    );

                byte[] encryptedCek;
                if (cek == null)
                {
                    byte[][] contentKeys = keys.WrapNewKey(_enc.KeySize, recipient.Key, joseHeader);
                    cek          = contentKeys[0];
                    encryptedCek = contentKeys[1];
                }
                else
                {
                    encryptedCek = keys.WrapKey(cek, recipient.Key, joseHeader);
                }

                // For the per-receipient header we want the headers from the result of IKeyManagements key wrapping but without the
                // shared headers
                IDictionary <string, object> recipientHeader = joseHeader
                                                               .Where(
                    kvp => !joseProtectedHeader.ContainsKey(kvp.Key) &&
                    (unprotectedHeaders == null || !unprotectedHeaders.ContainsKey(kvp.Key))
                    )
                                                               .ToDictionary(kvp => kvp.Key, kvp => kvp.Value);

                recipientsOut.Add(new JweRecipient(encryptedCek, recipientHeader));
            }

            if (compression.HasValue)
            {
                joseProtectedHeader["zip"] = settings.CompressionHeader(compression.Value);
                plaintext = settings.Compression(compression.Value).Compress(plaintext);
            }

            switch (mode)
            {
            case SerializationMode.Compact:
            {
                if (recipientsOut.Count != 1)
                {
                    throw new JoseException("Only one recipient is supported by the JWE Compact Serialization.");
                }

                if (aad != null)
                {
                    throw new JoseException("JWE AAD value is not valid for JWE Compact Serialization.");
                }

                joseProtectedHeader = Dictionaries.MergeHeaders(recipientsOut[0].Header, joseProtectedHeader);

                byte[] header = Encoding.UTF8.GetBytes(settings.JsonMapper.Serialize(joseProtectedHeader));
                aad = Encoding.UTF8.GetBytes(Compact.Serialize(header));
                byte[][] encParts = _enc.Encrypt(aad, plaintext, cek);

                return(new JweToken(
                           header,
                           null,
                           recipientsOut,
                           null,
                           encParts[0],
                           encParts[1],
                           encParts[2],
                           mode)
                       .AsString());
            }

            case SerializationMode.Json:
            {
                var      protectedHeaderBytes        = Encoding.UTF8.GetBytes(settings.JsonMapper.Serialize(joseProtectedHeader));
                byte[]   asciiEncodedProtectedHeader = Encoding.ASCII.GetBytes(Base64Url.Encode(protectedHeaderBytes));
                byte[][] encParts = _enc.Encrypt(Aad(protectedHeaderBytes, aad), plaintext, cek);

                return(new JweToken(
                           protectedHeaderBytes,
                           unprotectedHeaders,
                           recipientsOut,
                           aad,
                           encParts[0],
                           encParts[1],
                           encParts[2],
                           mode)
                       .AsString(settings.JsonMapper));
            }

            default:
                throw new JoseException($"Unsupported serializtion mode: {mode}.");
            }
        }
コード例 #2
0
 private static byte[] Aad(byte[] protectedHeader, byte[] aad = null)
 {
     return(aad == null?
            Encoding.ASCII.GetBytes(Base64Url.Encode(protectedHeader)) :
                Encoding.ASCII.GetBytes(string.Concat(Base64Url.Encode(protectedHeader), ".", Base64Url.Encode(aad))));
 }