public SecurityTokenDescriptor CreateDescriptor(string name = "user", string nameIdentifier = "user-id", SecurityKey encryptionKey = null, SecurityKey signingKey = null, SecurityKey proofKey = null, bool encryptProofKey = true) { if (encryptionKey == null) encryptionKey = DefaultEncryptionKey; if (signingKey == null) signingKey = DefaultSigningKey; var claims = new List<Claim>(); if (name != null) claims.Add(new Claim(ClaimTypes.Name, name)); if (nameIdentifier != null) claims.Add(new Claim(ClaimTypes.NameIdentifier, nameIdentifier)); var identity = new ClaimsIdentity(claims, "Test", ClaimTypes.NameIdentifier, ClaimTypes.Role); var encryptingCredentials = new EncryptingCredentials(encryptionKey, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128Encryption); var descriptor = new RequestedSecurityTokenDescriptor { Issuer = "urn:tests", Audience = "urn:unittests", EncryptingCredentials = encryptingCredentials, SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.Sha256Digest), IssuedAt = DateTime.UtcNow, Expires = DateTime.UtcNow.AddMinutes(5), NotBefore = DateTime.UtcNow, Subject = identity, ProofKey = proofKey, ProofKeyEncryptingCredentials = encryptProofKey ? encryptingCredentials : null }; return descriptor; }
protected virtual KeyInfo CreateProofKeyInfo(RequestedSecurityTokenDescriptor tokenDescriptor) { if (tokenDescriptor.ProofKey == null) { return(null); } if (tokenDescriptor.ProofKey is SymmetricSecurityKey symmetric) { var credentials = tokenDescriptor.ProofKeyEncryptingCredentials; if (credentials == null) { return new BinarySecretKeyInfo { Key = symmetric.Key } } ; var crypto = credentials.CryptoProviderFactory ?? credentials.Key.CryptoProviderFactory ?? CryptoProviderFactory.Default; var keyWrap = null as KeyWrapProvider; try { keyWrap = crypto.CreateKeyWrapProvider(credentials.Key, credentials.Alg); var wrapped = keyWrap.WrapKey(symmetric.Key); var cipherValue = wrapped; return(new EncryptedKeyInfo { CipherValue = cipherValue, EncryptionMethod = credentials.Alg, KeyInfo = CreateKeyInfo(credentials.Key) }); } finally { if (keyWrap != null) { crypto?.ReleaseKeyWrapProvider(keyWrap); } } } else if (tokenDescriptor.ProofKey is AsymmetricSecurityKey) { throw new NotSupportedException($"Asymmetric proof keys not supported for now."); } else { throw new NotSupportedException($"Key type '{tokenDescriptor.ProofKey.GetType().Name}' not supported."); } }