public byte[][] WrapNewKey(int cekSizeBits, object key, IDictionary <string, object> header)
{
var sharedPassphrase = Ensure.Type <string>(key, "Pbse2HmacShaKeyManagementWithAesKeyWrap management algorithm expectes key to be string.");
byte[] sharedKey = Encoding.UTF8.GetBytes(sharedPassphrase);
byte[] algId = Encoding.UTF8.GetBytes((string)header["alg"]);
int iterationCount = 8192;
byte[] saltInput = Arrays.Random(96); //12 bytes
header["p2c"] = iterationCount;
header["p2s"] = Base64Url.Encode(saltInput);
byte[] salt = Arrays.Concat(algId, Arrays.Zero, saltInput);
byte[] kek;
using (var prf = PRF)
{
kek = PBKDF2.DeriveKey(sharedKey, salt, iterationCount, keyLengthBits, prf);
}
return(aesKW.WrapNewKey(cekSizeBits, kek, header));
}
public override byte[][] WrapNewKey(int cekSizeBits, object key, IDictionary <string, object> header)
{
byte[][] agreement = base.WrapNewKey(keyLengthBits, key, header);
byte[] kek = agreement[0]; //use agreed key as KEK for AES-KW
return(aesKW.WrapNewKey(cekSizeBits, kek, header));
}