public void CanValidateES256() { const string token = "eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q"; var x = Base64Url.DeserializeBytes("f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "ECDSA key X value"); var y = Base64Url.DeserializeBytes("x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "ECDSA key Y value"); var key = new ECDsaSecurityKey(ECDsa.Create(new ECParameters { Q = new ECPoint { X = x, Y = y }, Curve = ECCurve.NamedCurves.nistP384 })); IdentityModelEventSource.ShowPII = true; var result = new JsonWebTokenHandler().ValidateToken(token, new TokenValidationParameters { IssuerSigningKey = key, ClockSkew = TimeSpan.FromDays(4000), ValidIssuer = "joe", ValidateAudience = false }); result.IsValid.ShouldBeTrue(); }
private ClaimsPrincipal ValidateSignature(string identityToken, JwtSecurityTokenHandler handler, TokenValidationParameters parameters) { if (parameters.RequireSignedTokens) { // read keys from provider information var keys = new List <SecurityKey>(); foreach (var webKey in _options.ProviderInformation.KeySet.Keys) { if (webKey.E.IsPresent() && webKey.N.IsPresent()) { // only add keys used for signatures if (webKey.Use == "sig" || webKey.Use == null) { var e = Base64Url.Decode(webKey.E); var n = Base64Url.Decode(webKey.N); var key = new RsaSecurityKey(new RSAParameters { Exponent = e, Modulus = n }); key.KeyId = webKey.Kid; keys.Add(key); _logger.LogDebug("Added signing key with kid: {kid}", key?.KeyId ?? "not set"); } } else if (webKey.X.IsPresent() && webKey.Y.IsPresent() && webKey.Crv.IsPresent()) { #if NETSTANDARD2_0 var ec = ECDsa.Create(new ECParameters { Curve = GetCurveFromCrvValue(webKey.Crv), Q = new ECPoint { X = Base64Url.Decode(webKey.X), Y = Base64Url.Decode(webKey.Y) } }); var key = new ECDsaSecurityKey(ec); key.KeyId = webKey.Kid; keys.Add(key); #else _logger.LogDebug("Found an EC key with kid: {kid}, but .NET Framework 4.6.1 does not support that.", webKey.Kid ?? "not set"); #endif } else { _logger.LogDebug("Signing key with kid: {kid} currently not supported", webKey.Kid ?? "not set"); } } parameters.IssuerSigningKeys = keys; } SecurityToken token; return(handler.ValidateToken(identityToken, parameters, out token)); }
public static string GenerateAppleToken(string secret, string keyId, string sub, string iss, string aud, DateTime expires) { ReadOnlySpan <byte> keyAsSpan = Convert.FromBase64String(secret); var prvKey = ECDsa.Create(); prvKey.ImportPkcs8PrivateKey(keyAsSpan, out var read); IJwtAlgorithm algorithm = new ES256Algorithm(ECDsa.Create(), prvKey); var tokenHandler = new JwtSecurityTokenHandler(); var securityKey = new ECDsaSecurityKey(prvKey); var tokenDescriptor = new SecurityTokenDescriptor { Expires = expires, Issuer = iss, Audience = aud, SigningCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.EcdsaSha256), Subject = new ClaimsIdentity(new[] { new Claim("sub", sub) }), }; var header = new Dictionary <string, object>() { { "kid", keyId } }; var token = tokenHandler.CreateJwtSecurityToken(tokenDescriptor); token.Header.Add("kid", keyId); return(tokenHandler.WriteToken(token)); }
public void ConfigureServices(IServiceCollection services) { services.AddControllersWithViews(); var builder = services.AddIdentityServer(options => { options.Events.RaiseErrorEvents = true; options.Events.RaiseInformationEvents = true; options.Events.RaiseFailureEvents = true; options.Events.RaiseSuccessEvents = true; }) .AddInMemoryIdentityResources(Config.IdentityResources) .AddInMemoryApiResources(Config.ApiResources) .AddInMemoryApiScopes(Config.ApiScopes) .AddInMemoryClients(Config.Clients) .AddTestUsers(TestUsers.Users); var pemBytes = Convert.FromBase64String( @"MHcCAQEEIB2EbKgBGbRxWTtWheDgaNw3P7TsSsMoWloU4NHO3MWYoAoGCCqGSM49 AwEHoUQDQgAEVGVVEnzMZnTv/8Jk0/WlFs9poYA7XqI7ITHH78OPenhGS02GBjXM WV/akdaWBgIyUP8/86kJ2KRyuHR4c/jIuA=="); var ecdsa = ECDsa.Create(); ecdsa.ImportECPrivateKey(pemBytes, out _); var securityKey = new ECDsaSecurityKey(ecdsa) { KeyId = "ef208a01ef43406f833b267023766550" }; builder.AddSigningCredential(securityKey, IdentityServerConstants.ECDsaSigningAlgorithm.ES256); builder.AddSigningCredential(new RsaSecurityKey(RSA.Create()), IdentityServerConstants.RsaSigningAlgorithm.RS256); }
private async Task <string> GenerateJwtMobileToken(DeliveryAccount account) { var claims = new List <Claim> { new Claim(JwtRegisteredClaimNames.Sub, account.MobileUserId), new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()), new Claim(ClaimTypes.NameIdentifier, account.Id), new Claim(CustomClaimType.CourtId, account.CourtId.ToString()), new Claim(CustomClaimType.LawUnitId, account.LawUnitId.ToString()), }; // var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JwtMobileKey"])); // var creds = new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256); // .EcdsaSha512); // HmacSha256); string privateKey = configuration["JwtMobileKey"]; ECDsa eCDsa = EDCsaHelper.LoadPrivateKey(EDCsaHelper.FromHexString(privateKey)); var key = new ECDsaSecurityKey(eCDsa); var creds = new SigningCredentials(key, SecurityAlgorithms.EcdsaSha512); // .EcdsaSha512); // HmacSha256); var expires = DateTime.Now.AddDays(Convert.ToDouble(configuration["JwtMobileExpireDays"])); var token = new JwtSecurityToken( configuration["JwtMobileIssuer"], configuration["JwtMobileIssuer"], claims, expires: expires, signingCredentials: creds ); return(new JwtSecurityTokenHandler().WriteToken(token)); }
/// <summary> /// Create a new client secret (per request). /// </summary> /// <param name="issuer">Your account's team ID found in the dev portal.</param> /// <param name="audience">Apple authority.</param> /// <param name="subject">The service id (client_id).</param> /// <param name="privateKey">Base64 encoded private key.</param> /// <param name="privateKeyId">The key id.</param> /// <param name="duration">Expiry can be a maximum of 6 months - generate one per request or re-use until expiration. Defaults to 5 minutes.</param> public static string CreateNewToken(string issuer, string audience, string subject, string privateKey, string privateKeyId, TimeSpan?duration = null) { duration ??= TimeSpan.FromMinutes(5); var now = DateTime.UtcNow; var ecdsa = ECDsa.Create(); if (privateKey.StartsWith('-')) { var lines = privateKey.Split(new[] { '\n', '\r' }, StringSplitOptions.RemoveEmptyEntries); privateKey = string.Join("", lines.Skip(1).Take(lines.Length - 2)); } //#if NETCOREAPP3_1 ecdsa?.ImportPkcs8PrivateKey(Convert.FromBase64String(privateKey), out _); //#else //ecdsa?.ImportFromPem(privateKey); //#endif var handler = new JsonWebTokenHandler(); var key = new ECDsaSecurityKey(ecdsa) { KeyId = privateKeyId }; return(handler.CreateToken(new SecurityTokenDescriptor { Issuer = issuer, Audience = audience, Claims = new Dictionary <string, object> { { "sub", subject } }, Expires = now.Add(duration.Value), IssuedAt = now, NotBefore = now, SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256) })); }
public async Task <SecurityKeyWithAlgorithm> GetSigningSecurityKey() { var secret = await _outbackDbContext.Secrets.SingleOrDefaultAsync(m => m.ActiveSigningKey == true); switch (secret.PublicKeyCryptographyType) { case PublicKeyCryptographyType.EC_NistP256: var storedParameters = JsonSerializer.Deserialize <CryptographyParameters>(secret.CryptographyData); var ecParameters = new ECParameters { Curve = ECCurve.NamedCurves.nistP256, D = Base64UrlEncoder.DecodeBytes(storedParameters.EncodedD), Q = new ECPoint { X = Base64UrlEncoder.DecodeBytes(storedParameters.EncodedX), Y = Base64UrlEncoder.DecodeBytes(storedParameters.EncodedY) } }; var ecdsa = ECDsa.Create(); ecdsa.ImportParameters(ecParameters); var ecdSaKey = new ECDsaSecurityKey(ecdsa) { KeyId = storedParameters.KeyId }; return(new SecurityKeyWithAlgorithm(JsonWebKeyConverter.ConvertFromECDsaSecurityKey(ecdSaKey), SecurityAlgorithms.EcdsaSha256)); default: throw new Exception($"{secret.PublicKeyCryptographyType} is not supported"); } }
public static GeneratedJwtKey Create() { Guid subjectId = Guid.NewGuid(); string subjectStr = subjectId.ToString("D"); ECDsa dsa = ECDsa.Create(); dsa.GenerateKey(ECCurve.NamedCurves.nistP384); ECDsaSecurityKey secKey = new ECDsaSecurityKey(dsa); SigningCredentials signingCreds = new SigningCredentials(secKey, SecurityAlgorithms.EcdsaSha384); JwtHeader newHeader = new JwtHeader(signingCreds, null, JwtConstants.HeaderType); Claim audClaim = new Claim(AuthConstants.ClaimAudienceStr, AuthConstants.ApiKeyJwtAudience); Claim issClaim = new Claim(AuthConstants.ClaimIssuerStr, AuthConstants.ApiKeyJwtInternalIssuer); Claim subClaim = new Claim(AuthConstants.ClaimSubjectStr, subjectStr); JwtPayload newPayload = new JwtPayload(new Claim[] { audClaim, issClaim, subClaim }); JwtSecurityToken newToken = new JwtSecurityToken(newHeader, newPayload); ECDsa pubDsa = ECDsa.Create(dsa.ExportParameters(includePrivateParameters: false)); ECDsaSecurityKey pubSecKey = new ECDsaSecurityKey(pubDsa); JsonWebKey jwk = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(pubSecKey); string publicKeyJson = JsonSerializer.Serialize(jwk, new JsonSerializerOptions() { DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull }); string publicKeyEncoded = Base64UrlEncoder.Encode(publicKeyJson); JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); string output = tokenHandler.WriteToken(newToken); return(new GeneratedJwtKey(output, subjectStr, publicKeyEncoded)); }
#pragma warning restore CS3016 // Arrays as attribute arguments is not CLS-compliant public void IsSupportedAlgorithm(ECDsaSecurityKey key, string alg, bool expectedResult) { if (key.CryptoProviderFactory.IsSupportedAlgorithm(alg, key) != expectedResult) { Assert.True(false, string.Format("{0} failed with alg: {1}. ExpectedResult: {2}", key, alg, expectedResult)); } }
/// <summary> /// Constructor for X509KeyContainer. /// </summary> public X509KeyContainer(ECDsaSecurityKey key, string algorithm, DateTime created, TimeSpan certAge, string issuer = "OP") : base(key.KeyId, algorithm, created) { HasX509Certificate = true; var distinguishedName = new X500DistinguishedName($"CN={issuer}"); //var ec = ECDsa.Create(key.ECDsa.par) var request = new CertificateRequest(distinguishedName, key.ECDsa, HashAlgorithmName.SHA256); request.CertificateExtensions.Add( new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, false)); request.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid(ServerAuthenticationOid) }, false)); _cert = request.CreateSelfSigned( new DateTimeOffset(created, TimeSpan.Zero), new DateTimeOffset(created.Add(certAge), TimeSpan.Zero)); CertificateRawData = Convert.ToBase64String(_cert.Export(X509ContentType.Pfx)); }
public static SecurityKey LoadECDSACert(string serializedParamsPath) { if (string.IsNullOrEmpty(serializedParamsPath)) { throw new NullReferenceException("Path may not be null or empty"); } var ecDsa = ECDsa.Create(); if (ecDsa == null) { throw new InvalidOperationException(); } if (!File.Exists(serializedParamsPath)) { File.WriteAllText(serializedParamsPath, JsonConvert.SerializeObject(ecDsa.ExportParameters(true).ToEcParamsDto())); return(new ECDsaSecurityKey(ecDsa)); } var ecParams = JsonConvert.DeserializeObject <EcParamsDto>(File.ReadAllText(serializedParamsPath)); ecDsa.ImportParameters(ecParams.ToEcParameters()); var key = new ECDsaSecurityKey(ecDsa) { CryptoProviderFactory = CryptoProviderFactory.Default }; return(key); }
private byte[] Sign(byte[] payload, byte[] publicKey, byte[] privateKey) { var key = new ECDsaSecurityKey(LoadPrivateKey(privateKey)); var provider = new AsymmetricSignatureProvider(key, SecurityAlgorithms.EcdsaSha256Signature); return(provider.Sign(payload)); }
private bool Verify(byte[] payload, byte[] signature, byte[] publicKey) { var key = new ECDsaSecurityKey(LoadPublicKey(publicKey)); var provider = new AsymmetricSignatureProvider(key, SecurityAlgorithms.EcdsaSha256Signature); return(provider.Verify(payload, signature)); }
/// <summary> /// Constructor for EcKeyContainer. /// </summary> public EcKeyContainer(ECDsaSecurityKey key, string algorithm, DateTime created) : base(key.KeyId, algorithm, created) { var parameters = key.ECDsa.ExportParameters(includePrivateParameters: true); D = parameters.D; Q = parameters.Q; }
public void Constructor() { // testing constructor that takes ECDsa instance ECDsaSecurityKeyConstructorWithEcdsa(null, ExpectedException.ArgumentNullException("ecdsa")); ECDsaSecurityKeyConstructorWithEcdsa(new ECDsaCng(), ExpectedException.NoExceptionExpected); var ecdsaSecurityKey = new ECDsaSecurityKey(new ECDsaCng()); Assert.True(ecdsaSecurityKey.HasPrivateKey, "ecdsaSecurityKey.HasPrivate is false"); }
/// <summary> /// Get the private ECDSA key from a certificate and set the KeyID /// /// For ECDSA certificates we need to set the KeyID manually according to a comment here /// https://github.com/IdentityServer/IdentityServer4/blob/main/src/IdentityServer4/host/Startup.cs /// (directly using the certificate is not support by Microsoft right now) /// /// So we set the KeyID to something that is consistent and tied to the key, /// the first part of the thumbprint is a good starting point. /// </summary> /// <param name="ecCert"></param> /// <returns></returns> private static ECDsaSecurityKey GetECDsaPrivateKey(X509Certificate2 ecCert) { var privateKey = new ECDsaSecurityKey(ecCert.GetECDsaPrivateKey()) { KeyId = ecCert.Thumbprint.Substring(0, 16) }; return(privateKey); }
private SigningCredentials CreateSigningCredentials(string keyId, ECDsa algorithm) { var key = new ECDsaSecurityKey(algorithm) { KeyId = keyId }; return(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256Signature)); }
public void Constructor() { // testing constructor that takes ECDsa instance ECDsaSecurityKeyConstructorWithEcdsa(null, ExpectedException.ArgumentNullException("ecdsa")); ECDsaSecurityKeyConstructorWithEcdsa(new ECDsaCng(), ExpectedException.NoExceptionExpected); var ecdsaSecurityKey = new ECDsaSecurityKey(new ECDsaCng()); Assert.True(ecdsaSecurityKey.PrivateKeyStatus == PrivateKeyStatus.Unknown, "ecdsaSecurityKey.FoundPrivateKey is unknown"); }
public void AddSigningCredential_with_invalid_curve_should_throw_exception(string curveOid, string alg) { IServiceCollection services = new ServiceCollection(); IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services); var key = new ECDsaSecurityKey(ECDsa.Create( ECCurve.CreateFromOid(Oid.FromOidValue(curveOid, OidGroup.All)))); Assert.Throws <InvalidOperationException>(() => identityServerBuilder.AddSigningCredential(key, alg)); }
public void AddSigningCredential_with_valid_curve_should_succeed(string curveOid, string alg) { IServiceCollection services = new ServiceCollection(); IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services); var key = new ECDsaSecurityKey(ECDsa.Create( ECCurve.CreateFromOid(Oid.FromOidValue(curveOid, OidGroup.All)))); identityServerBuilder.AddSigningCredential(key, alg); }
private TokenValidationResult ValidateSignature(string identityToken, JsonWebTokenHandler handler, TokenValidationParameters parameters, OidcClientOptions options, ILogger logger) { if (parameters.RequireSignedTokens) { // read keys from provider information var keys = new List <SecurityKey>(); foreach (var webKey in options.ProviderInformation.KeySet.Keys) { if (webKey.E.IsPresent() && webKey.N.IsPresent()) { // only add keys used for signatures if (webKey.Use == "sig" || webKey.Use == null) { var e = Base64Url.Decode(webKey.E); var n = Base64Url.Decode(webKey.N); var key = new RsaSecurityKey(new RSAParameters { Exponent = e, Modulus = n }); key.KeyId = webKey.Kid; keys.Add(key); logger.LogDebug("Added signing key with kid: {kid}", key?.KeyId ?? "not set"); } } else if (webKey.X.IsPresent() && webKey.Y.IsPresent() && webKey.Crv.IsPresent()) { var ec = ECDsa.Create(new ECParameters { Curve = GetCurveFromCrvValue(webKey.Crv), Q = new ECPoint { X = Base64Url.Decode(webKey.X), Y = Base64Url.Decode(webKey.Y) } }); var key = new ECDsaSecurityKey(ec); key.KeyId = webKey.Kid; keys.Add(key); } else { logger.LogDebug("Signing key with kid: {kid} currently not supported", webKey.Kid ?? "not set"); } } parameters.IssuerSigningKeys = keys; } return(handler.ValidateToken(identityToken, parameters)); }
private JsonWebKey CreateJWK() { var key = new ECDsaSecurityKey(ECDsa.Create(Curve)) { KeyId = Guid.NewGuid().ToString() }; var jwk = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(key); SaveKey(jwk); return(jwk); }
private void ECDsaSecurityKeyConstructorWithEcdsa(ECDsa ecdsa, ExpectedException ee) { try { var ecdsaSecurityKey = new ECDsaSecurityKey(ecdsa); ee.ProcessNoException(); } catch (Exception exception) { ee.ProcessException(exception); } }
/// <summary> /// Adds an ECDSA-based validation key. /// </summary> /// <param name="builder">The builder.</param> /// <param name="key">The ECDSA key</param> /// <param name="signingAlgorithm">The ECDSA-based signing algorithm</param> /// <returns></returns> public static IIdentityServerBuilder AddValidationKey( this IIdentityServerBuilder builder, ECDsaSecurityKey key, IdentityServerConstants.ECDsaSigningAlgorithm signingAlgorithm = IdentityServerConstants.ECDsaSigningAlgorithm.ES256) { var keyInfo = new SecurityKeyInfo { Key = key, SigningAlgorithm = CryptoHelper.GetECDsaSigningAlgorithmValue(signingAlgorithm) }; return(builder.AddValidationKey(keyInfo)); }
internal static bool IsValidCurveForAlgorithm(ECDsaSecurityKey key, string algorithm) { var parameters = key.ECDsa.ExportParameters(false); if (algorithm == SecurityAlgorithms.EcdsaSha256 && parameters.Curve.Oid.Value != CurveOids.P256 || algorithm == SecurityAlgorithms.EcdsaSha384 && parameters.Curve.Oid.Value != CurveOids.P384 || algorithm == SecurityAlgorithms.EcdsaSha512 && parameters.Curve.Oid.Value != CurveOids.P521) { return(false); } return(true); }
Task <D2LSecurityToken> IPrivateKeyProvider.GetSigningCredentialsAsync() { var ecdsa = ECDsa.Create(m_curve); var parameters = ecdsa.ExportParameters(includePrivateParameters: true); D2LSecurityToken result = m_d2lSecurityTokenFactory.Create(() => { var ecDsa = ECDsa.Create(parameters); var key = new ECDsaSecurityKey(ecDsa); return(new Tuple <AsymmetricSecurityKey, IDisposable>(key, ecDsa)); }); return(Task.FromResult(result)); }
public void ConfigureServices(IServiceCollection services) { services.AddControllersWithViews(); var password = "******"; var ecdsaPFX = @"MIID9wIBAzCCA7MGCSqGSIb3DQEHAaCCA6QEggOgMIIDnDCCAW0GCSqGSIb3DQEHAaCCAV4EggFaMIIBVjCCAVIGCyqGSIb3DQEMCgECoIHMMIHJMBwGCiqGSIb3DQEMAQMwDgQI6Rn/G4nB1SACAgfQBIGoRg/w/KUDAumcM0STBZ DYefbKsk3M6p7qILoOIfD2k4i9gkL0+JKWbSSPzOoAtKE9FhGbT2WC1Vyt1CjRsRkPqtCpkU/D2rVwq9BKX483+1x+2JqhuhkMU1NAejn5QUqCPmjKPnWfjVXRPGMmYQoIKK+B9uZiPk0k3FlLC/6/JPI51wA1rwGuor99vgaU02fauNcRDv/CCpWCAeSUZAZApY6jRE9Wwi93MXQwEwYJKoZIhvcNAQkVMQYEBAEAAAAwXQYJKwYBBAGCNxEBMVAeTgBNAGkAYwByAG8AcwBvAGYAdAAgAFMAbwBmAHQAdwBhAHIAZQAgAEsAZQB5ACAAUwB0AG8AcgBhAGcAZQAgAFAAcgBvAHYAaQBkAGUAcjCCAicGCSqGSIb3DQEHBqCCAhgwggIUAgEAMIICDQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQI6jHZeCkfSu4CAgfQgIIB4Cx+XJ79QcELNweAZH/LWrTR25Im0HJ/SfATqnNcOvfluz3TxuJOrJUy15exisVjKSBynD6Tl4IyIwLSfJoC9N3ydaMcOvcKATdGDEd5nX8zSWNaJGCJXMQAU3M/YHo+vrOOjatOEs65/3qQSrEITcEPVqN6/lfoBPpZh10NIiGuzhXqbSulki45f2Tly43ondBosqX3NzSQzOlAKmgivMeGxL+mMfpe9IkgHfIsJ9uu4x6iaSKiHdeAzHLtINKQzianHEmiusOaz9hrE0F5AO3NUM8nxtLFouQwX0JreXeFsZPriIqZ4b9p6ulEnw6MC0TjZZ9OOj7MGcvvHQeXCufnQL3FpUghzzG7lBx50Ovf9KzL7lG+mLIU8fkJ19bx6izYwVSHZa0CtZg28bF/mqC19Qi6ev/9j0nC9MmsfA25fnKpe7Ob2ddbkXSa8v6whVTY5C/digfrtKeoQay3B1gTZXKdiRH700ejS6FZ1EliMfMfRYczyc6kYsrBez0AlvkaozgqX8wyD4Z1iSjwYSLmOlguvCIuhDV3crltkjODGRHlyckdlWEJNH0PIJBr9qG1jRnA1t/MWdJK9gHTX2VqwHtPZKxikQq6x1h/hFMpU8ZahD1y886JLnBiBqxkIzA7MB8wBwYFKw4DAhoEFMO4ZPmUTPmNn7Xn57uXiyIWyttZBBTlMlP5OzM3CMlqmNdJOPK+iiOEwQICB9A="; byte[] ecdsaCertPfxBytes = Convert.FromBase64String(ecdsaPFX); var ecdsaCertificate = new X509Certificate2(ecdsaCertPfxBytes, password); ECDsaSecurityKey ecdsaCertificatePublicKey = new ECDsaSecurityKey(ecdsaCertificate.GetECDsaPrivateKey()); var builder = services.AddIdentityServer(options => { options.Events.RaiseErrorEvents = true; options.Events.RaiseInformationEvents = true; options.Events.RaiseFailureEvents = true; options.Events.RaiseSuccessEvents = true; // see https://docs.duendesoftware.com/identityserver/v5/basics/resources options.EmitStaticAudienceClaim = true; options.KeyManagement.Enabled = false; }) .AddTestUsers(TestUsers.Users); builder.AddInMemoryIdentityResources(Resources.Identity); builder.AddInMemoryApiScopes(Resources.ApiScopes); builder.AddInMemoryApiResources(Resources.ApiResources); builder.AddInMemoryClients(Clients.List); // this is only needed for the JAR and JWT samples and adds supports for JWT-based client authentication builder.AddJwtBearerClientAuthentication(); services.AddAuthentication() .AddOpenIdConnect("Google", "Sign-in with Google", options => { options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme; options.ForwardSignOut = IdentityServerConstants.DefaultCookieAuthenticationScheme; options.Authority = "https://accounts.google.com/"; options.ClientId = "708778530804-rhu8gc4kged3he14tbmonhmhe7a43hlp.apps.googleusercontent.com"; options.CallbackPath = "/signin-google"; options.Scope.Add("email"); }); builder.AddSigningCredential(ecdsaCertificatePublicKey, IdentityServerConstants.ECDsaSigningAlgorithm.ES256); }
public void SigningCredentials_AddKey_ThrowsAnExceptionForEcdsaKeyOnUnsupportedPlatforms() { // Arrange var credentials = new List <SigningCredentials>(); var key = new ECDsaSecurityKey(Mock.Of <ECDsa>()); // Act and assert var exception = Assert.Throws <PlatformNotSupportedException>(delegate { credentials.AddKey(key); }); Assert.Equal("ECDSA signing keys are not supported on this platform.", exception.Message); }
private static SigningCredentials CreateSigningCredentials(string keyId, ECDsa algorithm) { var key = new ECDsaSecurityKey(algorithm) { KeyId = keyId }; // Use a custom CryptoProviderFactory so that keys are not cached and then disposed of, see below: // https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1302 return(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256Signature) { CryptoProviderFactory = CryptoProviderFactory, }); }
internal override D2LSecurityToken ToSecurityToken() { var token = new D2LSecurityToken( id: Id, validFrom: DateTimeOffset.UtcNow, validTo: ExpiresAt ?? DateTimeOffset.UtcNow + Constants.REMOTE_KEY_MAX_LIFETIME, keyFactory: () => { var ecdsa = ECDsa.Create(m_parameters); var key = new ECDsaSecurityKey(ecdsa); return(new Tuple <AsymmetricSecurityKey, IDisposable>(key, ecdsa)); } ); return(token); }