public override void Canonicalize()
{
var jwk = PasswordBasedJwk.FromPassphrase("Thus from my lips, by yours, my sin is purged.");
var canonicalizedKey = (SymmetricJwk)CanonicalizeKey(jwk);
Assert.NotEmpty(canonicalizedKey.ToArray());
}
public override void WriteTo()
{
var key = PasswordBasedJwk.FromPassphrase("Thus from my lips, by yours, my sin is purged.");
key.Kid = JsonEncodedText.Encode("kid1");
key.KeyOps.Add(JwkKeyOpsValues.Sign);
key.Use = JwkUseValues.Sig;
key.X5t = Base64Url.Decode("dGhpcyBpcyBhIFNIQTEgdGVzdCE");
key.X5tS256 = Base64Url.Decode("dGhpcyBpcyBhIFNIQTI1NiB0ZXN0ISAgICAgICAgICA");
key.X5u = "https://example.com";
key.X5c.Add(Convert.FromBase64String("MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDVQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDVQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1wYmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnHYMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpnfajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPqPvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVkaZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL+9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTqgawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA=="));
using var bufferWriter = new PooledByteBufferWriter();
key.Serialize(bufferWriter);
var json = Encoding.UTF8.GetString(bufferWriter.WrittenSpan.ToArray());
Assert.Contains("\"kid\":\"kid1\"", json);
Assert.Contains("\"key_ops\":[\"sign\"]", json);
Assert.Contains("\"use\":\"sig\"", json);
Assert.Contains("\"x5t\":\"dGhpcyBpcyBhIFNIQTEgdGVzdCE\"", json);
Assert.Contains("\"x5t#S256\":\"dGhpcyBpcyBhIFNIQTI1NiB0ZXN0ISAgICAgICAgICA\"", json);
#if NETSTANDARD2_0
Assert.Contains("\"x5u\":\"" + JsonEncodedText.Encode("https://example.com") + "\"", json);
Assert.Contains("\"x5c\":[\"" + JsonEncodedText.Encode("MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDVQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDVQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1wYmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnHYMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpnfajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPqPvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVkaZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL+9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTqgawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA==") + "\"]", json);
#else
Assert.Contains("\"x5u\":\"" + JsonEncodedText.Encode("https://example.com", JsonSerializationBehavior.JsonEncoder) + "\"", json);
Assert.Contains("\"x5c\":[\"" + JsonEncodedText.Encode("MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDVQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDVQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1wYmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnHYMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpnfajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPqPvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVkaZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL+9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTqgawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA==", JsonSerializationBehavior.JsonEncoder) + "\"]", json);
#endif
Assert.Contains("\"k\":\"" + Encoding.UTF8.GetString(Base64Url.Encode(key.ToArray())) + "\"", json);
}
protected string EncryptKey(IConsole console, JsonWebToken.Jwk key)
{
if (_password is null)
{
return(key.ToString());
}
var alg = KeyManagementAlgorithm.Pbes2HS256A128KW;
var enc = EncryptionAlgorithm.A128CbcHS256;
console.Verbose(
$@"Encrypting the JWK...
Algorithm: {alg}
Encryption algorithm: {enc}
Password derivation iteration count: {_iterationCount}
Password derivation salt size: {_saltSize} bits");
var encryptionKey = PasswordBasedJwk.FromPassphrase(_password, iterationCount: _iterationCount, saltSizeInBytes: _saltSize);
var writer = new JwtWriter();
var descriptor = new JwkJweDescriptor(encryptionKey, alg, enc)
{
Payload = key
};
var result = writer.WriteTokenString(descriptor);
console.Verbose("JWK encrypted.");
return(result);
}
public string Transform(IConsole console, string data)
{
if (_password != null)
{
var alg = KeyManagementAlgorithm.Pbes2HS256A128KW;
var enc = EncryptionAlgorithm.A128CbcHS256;
console.Verbose(
$@"Encrypting the JWK...
Algorithm: {alg}
Encryption algorithm: {enc}
Password derivation iteration count: {_iterationCount}
Password derivation salt size: {_saltSize} bits");
var encryptionKey = PasswordBasedJwk.FromPassphrase(_password, iterationCount: _iterationCount, saltSizeInBytes: _saltSize);
var writer = new JwtWriter();
var descriptor = new PlaintextJweDescriptor(encryptionKey, alg, enc)
{
Payload = data
};
console.Verbose("JWK encrypted.");
return(writer.WriteTokenString(descriptor));
}
return(data);
}
public void Wrap_Rfc7518_Appendix_C()
{
var salt = new byte[16] {
217, 96, 147, 112, 150, 117, 70, 247, 127, 8, 155, 137, 174, 42, 80, 215
};
var staticKey = new byte[] { 111, 27, 25, 52, 66, 29, 20, 78, 92, 176, 56, 240, 65, 208, 82, 112, 161, 131, 36, 55, 202, 236, 185, 172, 129, 23, 153, 194, 195, 48, 253, 182 };
var expectedEncryptedKey = new byte[] { 78, 186, 151, 59, 11, 141, 81, 240, 213, 245, 83, 211, 53, 188, 134, 188, 66, 125, 36, 200, 222, 124, 5, 103, 249, 52, 117, 184, 140, 81, 246, 158, 161, 177, 20, 33, 245, 57, 59, 4 };
var kwp = new Pbes2KeyWrapper(
PasswordBasedJwk.FromPassphrase(_password),
EncryptionAlgorithm.A128CbcHS256,
KeyManagementAlgorithm.Pbes2HS256A128KW,
4096,
(uint)salt.Length,
new StubSaltGenerator(salt));
var header = new JwtHeader
{
{ JwtHeaderParameterNames.Alg, KeyManagementAlgorithm.Pbes2HS256A128KW.Name },
{ JwtHeaderParameterNames.Enc, EncryptionAlgorithm.A128CbcHS256.Name }
};
var destination = new byte[kwp.GetKeyWrapSize()];
var cek = kwp.WrapKey(SymmetricJwk.FromByteArray(staticKey), header, destination);
Assert.Equal(expectedEncryptedKey, destination);
Assert.True(header.TryGetValue("p2s", out var jwtMember));
Assert.Equal("2WCTcJZ1Rvd_CJuJripQ1w", (string)jwtMember.Value);
Assert.True(header.TryGetValue("p2c", out jwtMember));
Assert.Equal(4096u, (uint)jwtMember.Value);
}
internal Pbes2KeyUnwrapper(PasswordBasedJwk key, EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm algorithm)
: base(encryptionAlgorithm, algorithm)
{
Debug.Assert(key.SupportKeyManagement(algorithm));
Debug.Assert(algorithm.Category == AlgorithmCategory.Pbkdf2);
Debug.Assert(algorithm.WrappedAlgorithm != null);
Debug.Assert(algorithm.HashAlgorithm != null);
_algorithm = algorithm.Name;
_keySizeInBytes = algorithm.WrappedAlgorithm.RequiredKeySizeInBits >> 3;
_algorithmNameLength = _algorithm.EncodedUtf8Bytes.Length;
_hashAlgorithm = algorithm.HashAlgorithm;
_keyManagementAlgorithm = algorithm.WrappedAlgorithm;
_password = key.ToArray();
}
public void Unwrap()
{
var expectedStaticKey = new byte[] { 111, 27, 25, 52, 66, 29, 20, 78, 92, 176, 56, 240, 65, 208, 82, 112, 161, 131, 36, 55, 202, 236, 185, 172, 129, 23, 153, 194, 195, 48, 253, 182 };
var wrappedKey = new byte[] { 78, 186, 151, 59, 11, 141, 81, 240, 213, 245, 83, 211, 53, 188, 134, 188, 66, 125, 36, 200, 222, 124, 5, 103, 249, 52, 117, 184, 140, 81, 246, 158, 161, 177, 20, 33, 245, 57, 59, 4 };
var parsed = JwtHeaderDocument.TryParseHeader(Encoding.UTF8.GetBytes($"{{\"p2s\":\"2WCTcJZ1Rvd_CJuJripQ1w\",\"p2c\":4096}}"), null, TokenValidationPolicy.NoValidation, out var jwtHeader, out var error);
Assert.True(parsed);
var kuwp = new Pbes2KeyUnwrapper(PasswordBasedJwk.FromPassphrase(_password), EncryptionAlgorithm.A128CbcHS256, KeyManagementAlgorithm.Pbes2HS256A128KW);
byte[] unwrappedKey = new byte[kuwp.GetKeyUnwrapSize(wrappedKey.Length)];
var unwrapped = kuwp.TryUnwrapKey(wrappedKey, unwrappedKey, jwtHeader, out _);
Assert.True(unwrapped);
Assert.Equal(expectedStaticKey, unwrappedKey);
}
public Pbes2KeyWrapper(PasswordBasedJwk key, EncryptionAlgorithm encryptionAlgorithm, KeyManagementAlgorithm algorithm, uint iterationCount, uint saltSizeInBytes, ISaltGenerator saltGenerator)
: base(encryptionAlgorithm, algorithm)
{
Debug.Assert(key.SupportKeyManagement(algorithm));
Debug.Assert(algorithm.Category == AlgorithmCategory.Pbkdf2);
Debug.Assert(algorithm.WrappedAlgorithm != null);
Debug.Assert(algorithm.HashAlgorithm != null);
_algorithm = algorithm.Name;
_keySizeInBytes = algorithm.WrappedAlgorithm.RequiredKeySizeInBits >> 3;
_algorithmNameLength = _algorithm.EncodedUtf8Bytes.Length;
_hashAlgorithm = algorithm.HashAlgorithm;
_keyManagementAlgorithm = algorithm.WrappedAlgorithm;
_password = key.ToArray();
_iterationCount = iterationCount;
_saltSizeInBytes = (int)saltSizeInBytes;
_saltGenerator = saltGenerator;
}
public void Equal()
{
var key = PasswordBasedJwk.FromPassphrase("Hello world");
Assert.True(key.Equals(key));
Assert.Equal(key, key);
var copiedKey = PasswordBasedJwk.FromPassphrase("Hello world");
Assert.Equal(key, copiedKey);
// 'kid' is not a discriminant, excepted if the value is different.
copiedKey.Kid = default;
Assert.Equal(key, copiedKey);
Assert.Equal(copiedKey, key);
key.Kid = default;
Assert.Equal(key, copiedKey);
key.Kid = JsonEncodedText.Encode("X");
copiedKey.Kid = JsonEncodedText.Encode("Y");
Assert.NotEqual(key, copiedKey);
Assert.NotEqual(key, Jwk.None);
}
static void Main()
{
// Key sample from https://tools.ietf.org/html/rfc7517#appendix-C
var rsaKey = RsaJwk.FromBase64Url
(
n: "t6Q8PWSi1dkJj9hTP8hNYFlvadM7DflW9mWepOJhJ66w7nyoK1gPNqFMSQRyO125Gp-TEkodhWr0iujjHVx7BcV0llS4w5ACGgPrcAd6ZcSR0-Iqom-QFcNP8Sjg086MwoqQU_LYywlAGZ21WSdS_PERyGFiNnj3QQlO8Yns5jCtLCRwLHL0Pb1fEv45AuRIuUfVcPySBWYnDyGxvjYGDSM-AqWS9zIQ2ZilgT-GqUmipg0XOC0Cc20rgLe2ymLHjpHciCKVAbY5-L32-lSeZO-Os6U15_aXrk9Gw8cPUaX1_I8sLGuSiVdt3C_Fn2PZ3Z8i744FPFGGcG1qs2Wz-Q",
e: "AQAB",
d: "GRtbIQmhOZtyszfgKdg4u_N-R_mZGU_9k7JQ_jn1DnfTuMdSNprTeaSTyWfSNkuaAwnOEbIQVy1IQbWVV25NY3ybc_IhUJtfri7bAXYEReWaCl3hdlPKXy9UvqPYGR0kIXTQRqns-dVJ7jahlI7LyckrpTmrM8dWBo4_PMaenNnPiQgO0xnuToxutRZJfJvG4Ox4ka3GORQd9CsCZ2vsUDmsXOfUENOyMqADC6p1M3h33tsurY15k9qMSpG9OX_IJAXmxzAh_tWiZOwk2K4yxH9tS3Lq1yX8C1EWmeRDkK2ahecG85-oLKQt5VEpWHKmjOi_gJSdSgqcN96X52esAQ",
p: "2rnSOV4hKSN8sS4CgcQHFbs08XboFDqKum3sc4h3GRxrTmQdl1ZK9uw-PIHfQP0FkxXVrx-WE-ZEbrqivH_2iCLUS7wAl6XvARt1KkIaUxPPSYB9yk31s0Q8UK96E3_OrADAYtAJs-M3JxCLfNgqh56HDnETTQhH3rCT5T3yJws",
q: "1u_RiFDP7LBYh3N4GXLT9OpSKYP0uQZyiaZwBtOCBNJgQxaj10RWjsZu0c6Iedis4S7B_coSKB0Kj9PaPaBzg-IySRvvcQuPamQu66riMhjVtG6TlV8CLCYKrYl52ziqK0E_ym2QnkwsUX7eYTB7LbAHRK9GqocDE5B0f808I4s",
dp: "KkMTWqBUefVwZ2_Dbj1pPQqyHSHjj90L5x_MOzqYAJMcLMZtbUtwKqvVDq3tbEo3ZIcohbDtt6SbfmWzggabpQxNxuBpoOOf_a_HgMXK_lhqigI4y_kqS1wY52IwjUn5rgRrJ-yYo1h41KR-vz2pYhEAeYrhttWtxVqLCRViD6c",
dq: "AvfS0-gRxvn0bwJoMSnFxYcK1WnuEjQFluMGfwGitQBWtfZ1Er7t1xDkbN9GQTB9yqpDoYaN06H7CFtrkxhJIBQaj6nkF5KKS3TQtQ5qCzkOkmxIe3KRbBymXxkb5qwUpX5ELD5xFc6FeiafWYY63TmmEAu_lRFCOJ3xDea-ots",
qi: "lSQi-w9CpyUReMErP1RsBLk7wNtOvs5EQpPqmuMvqW57NBUczScEoPwmUqqabu9V0-Py4dQ57_bapoKRu1R90bvuFnU63SHWEFglZQvJDMeAvmj4sm-Fp0oYu_neotgQ0hzbI5gry7ajdYy9-2lNx_76aBZoOUu9HCJ-UsfSOI8"
);
rsaKey.Kid = JsonEncodedText.Encode("*****@*****.**");
rsaKey.Use = JwkUseValues.Enc;
// Generates the password based key
var sharedPassword = PasswordBasedJwk.FromPassphrase("Thus from my lips, by yours, my sin is purged.", iterationCount: 4096, saltSizeInBytes: 16, computeThumbprint: false);
// Creates the JWE descriptor for JWK
// The descriptor sets the 'alg' with value 'PBES2-HS256+A128KW' and 'enc' with value 'A128CBC-HS256'
var descriptor = new JwkJweDescriptor(sharedPassword, KeyManagementAlgorithm.Pbes2HS256A128KW, EncryptionAlgorithm.A128CbcHS256)
{
Payload = rsaKey
};
// Generates the UTF-8 string representation of the JWT
var writer = new JwtWriter();
var token = writer.WriteTokenString(descriptor);
Console.WriteLine("The JWT is:");
Console.WriteLine(descriptor);
Console.WriteLine();
Console.WriteLine("Its compact form is:");
Console.WriteLine(token);
}
public override string Transform(IConsole console, string data)
{
console.Verbose($@"Decrypting the JWK...
Password derivation iteration count: {_iterationCount}
Password derivation salt size: {_saltSize} bits");
var decryptionKey = PasswordBasedJwk.FromPassphrase(_password, _iterationCount, _saltSize);
var policy = new TokenValidationPolicyBuilder().WithDecryptionKeys(decryptionKey).IgnoreNestedToken().AcceptUnsecureTokenByDefault().Build();
Jwt?jwt = null;
try
{
if (!Jwt.TryParse(data, policy, out jwt))
{
throw new InvalidOperationException($"Failed to decrypt the key.\n{jwt.Error!.Status}\n{jwt.Error!.Message}");
}
console.Verbose("JWK decrypted.");
return(jwt.Plaintext);
}
finally
{
jwt?.Dispose();
}
}