public async Task <SecurityKeyWithAlgorithm> GetSigningSecurityKey() { var secret = await _outbackDbContext.Secrets.SingleOrDefaultAsync(m => m.ActiveSigningKey == true); switch (secret.PublicKeyCryptographyType) { case PublicKeyCryptographyType.EC_NistP256: var storedParameters = JsonSerializer.Deserialize <CryptographyParameters>(secret.CryptographyData); var ecParameters = new ECParameters { Curve = ECCurve.NamedCurves.nistP256, D = Base64UrlEncoder.DecodeBytes(storedParameters.EncodedD), Q = new ECPoint { X = Base64UrlEncoder.DecodeBytes(storedParameters.EncodedX), Y = Base64UrlEncoder.DecodeBytes(storedParameters.EncodedY) } }; var ecdsa = ECDsa.Create(); ecdsa.ImportParameters(ecParameters); var ecdSaKey = new ECDsaSecurityKey(ecdsa) { KeyId = storedParameters.KeyId }; return(new SecurityKeyWithAlgorithm(JsonWebKeyConverter.ConvertFromECDsaSecurityKey(ecdSaKey), SecurityAlgorithms.EcdsaSha256)); default: throw new Exception($"{secret.PublicKeyCryptographyType} is not supported"); } }
public static GeneratedJwtKey Create() { Guid subjectId = Guid.NewGuid(); string subjectStr = subjectId.ToString("D"); ECDsa dsa = ECDsa.Create(); dsa.GenerateKey(ECCurve.NamedCurves.nistP384); ECDsaSecurityKey secKey = new ECDsaSecurityKey(dsa); SigningCredentials signingCreds = new SigningCredentials(secKey, SecurityAlgorithms.EcdsaSha384); JwtHeader newHeader = new JwtHeader(signingCreds, null, JwtConstants.HeaderType); Claim audClaim = new Claim(AuthConstants.ClaimAudienceStr, AuthConstants.ApiKeyJwtAudience); Claim issClaim = new Claim(AuthConstants.ClaimIssuerStr, AuthConstants.ApiKeyJwtInternalIssuer); Claim subClaim = new Claim(AuthConstants.ClaimSubjectStr, subjectStr); JwtPayload newPayload = new JwtPayload(new Claim[] { audClaim, issClaim, subClaim }); JwtSecurityToken newToken = new JwtSecurityToken(newHeader, newPayload); ECDsa pubDsa = ECDsa.Create(dsa.ExportParameters(includePrivateParameters: false)); ECDsaSecurityKey pubSecKey = new ECDsaSecurityKey(pubDsa); JsonWebKey jwk = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(pubSecKey); string publicKeyJson = JsonSerializer.Serialize(jwk, new JsonSerializerOptions() { DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull }); string publicKeyEncoded = Base64UrlEncoder.Encode(publicKeyJson); JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); string output = tokenHandler.WriteToken(newToken); return(new GeneratedJwtKey(output, subjectStr, publicKeyEncoded)); }
private JsonWebKey CreateJWK() { var key = new ECDsaSecurityKey(ECDsa.Create(Curve)) { KeyId = Guid.NewGuid().ToString() }; var jwk = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(key); SaveKey(jwk); return(jwk); }
public SecretStorage(RandomStringGenerator randomStringGenerator) { var secret = ECDsa.Create(ECCurve.NamedCurves.nistP256); _ecdSaKey = new ECDsaSecurityKey(secret) { KeyId = randomStringGenerator.GetRandomString(20) }; _key = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(_ecdSaKey); var publicKey = _ecdSaKey.ECDsa.ExportParameters(false); //_ellipticCurveJsonWebKeyModel = new EllipticCurveJsonWebKeyModel(_key.KeyId, Base64UrlEncoder.Encode(_key.X), Base64UrlEncoder.Encode(_key.Y), JsonWebKeyECTypes.P256, SecurityAlgorithms.EcdsaSha256); //_ellipticCurveJsonWebKeyModel = new EllipticCurveJsonWebKeyModel(_key.KeyId, _key.X, _key.Y, JsonWebKeyECTypes.P256, SecurityAlgorithms.EcdsaSha256); _ellipticCurveJsonWebKeyModel = new EllipticCurveJsonWebKeyModel(_ecdSaKey.KeyId, Base64UrlEncoder.Encode(publicKey.Q.X), Base64UrlEncoder.Encode(publicKey.Q.Y), JsonWebKeyECTypes.P256, SecurityAlgorithms.EcdsaSha256); }
public static RootOptions UseApiKey(this RootOptions options, string algorithmName, string subject, JwtPayload customPayload, out string token, out SecurityKey privateKey) { if (null == options.Authentication) { options.Authentication = new AuthenticationOptions(); } if (null == options.Authentication.MonitorApiKey) { options.Authentication.MonitorApiKey = new MonitorApiKeyOptions(); } SigningCredentials signingCreds; JsonWebKey exportableJwk; switch (algorithmName) { case SecurityAlgorithms.EcdsaSha256: case SecurityAlgorithms.EcdsaSha256Signature: case SecurityAlgorithms.EcdsaSha384: case SecurityAlgorithms.EcdsaSha384Signature: case SecurityAlgorithms.EcdsaSha512: case SecurityAlgorithms.EcdsaSha512Signature: ECDsa ecDsa = ECDsa.Create(GetEcCurveFromName(algorithmName)); ECDsaSecurityKey ecSecKey = new ECDsaSecurityKey(ecDsa); signingCreds = new SigningCredentials(ecSecKey, algorithmName); ECDsa pubEcDsa = ECDsa.Create(ecDsa.ExportParameters(false)); ECDsaSecurityKey pubEcSecKey = new ECDsaSecurityKey(pubEcDsa); exportableJwk = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(pubEcSecKey); privateKey = ecSecKey; break; case SecurityAlgorithms.RsaSha256: case SecurityAlgorithms.RsaSha256Signature: case SecurityAlgorithms.RsaSha384: case SecurityAlgorithms.RsaSha384Signature: case SecurityAlgorithms.RsaSha512: case SecurityAlgorithms.RsaSha512Signature: RSA rsa = RSA.Create(GetRsaKeyLengthFromName(algorithmName)); RsaSecurityKey rsaSecKey = new RsaSecurityKey(rsa); signingCreds = new SigningCredentials(rsaSecKey, algorithmName); RSA pubRsa = RSA.Create(rsa.ExportParameters(false)); RsaSecurityKey pubRsaSecKey = new RsaSecurityKey(pubRsa); exportableJwk = JsonWebKeyConverter.ConvertFromRSASecurityKey(pubRsaSecKey); privateKey = rsaSecKey; break; case SecurityAlgorithms.HmacSha256: case SecurityAlgorithms.HmacSha384: case SecurityAlgorithms.HmacSha512: HMAC hmac = HMAC.Create(GetHmacAlgorithmFromName(algorithmName)); SymmetricSecurityKey hmacSecKey = new SymmetricSecurityKey(hmac.Key); signingCreds = new SigningCredentials(hmacSecKey, algorithmName); exportableJwk = JsonWebKeyConverter.ConvertFromSymmetricSecurityKey(hmacSecKey); privateKey = hmacSecKey; break; default: throw new ArgumentException($"Algorithm name '{algorithmName}' not supported", nameof(algorithmName)); } JwtHeader newHeader = new JwtHeader(signingCreds, null, JwtConstants.HeaderType); JwtSecurityToken newToken = new JwtSecurityToken(newHeader, customPayload); JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); string resultToken = tokenHandler.WriteToken(newToken); JsonSerializerOptions serializerOptions = JsonSerializerOptionsFactory.Create(JsonSerializerOptionsFactory.JsonIgnoreCondition.WhenWritingNull); string publicKeyJson = JsonSerializer.Serialize(exportableJwk, serializerOptions); string publicKeyEncoded = Base64UrlEncoder.Encode(publicKeyJson); options.Authentication.MonitorApiKey.Subject = subject; options.Authentication.MonitorApiKey.PublicKey = publicKeyEncoded; token = resultToken; return(options); }