/// <summary>
/// Creates a JsonWebToken (JWE or JWS). Raw header value is passed in as one of the parameters for testing purposes.
/// Will be removed when this is released.
/// </summary>
private string CreateJsonWebToken(JObject payload, SigningCredentials signingCredentials, EncryptingCredentials encryptingCredentials, string rawHeader)
{
if (payload == null)
{
throw LogHelper.LogArgumentNullException(nameof(payload));
}
if (rawHeader == null)
{
throw LogHelper.LogArgumentNullException(nameof(rawHeader));
}
string rawPayload = Base64UrlEncoder.Encode(Encoding.UTF8.GetBytes(payload.ToString(Newtonsoft.Json.Formatting.None)));
string rawSignature = signingCredentials == null ? string.Empty : JwtTokenUtilities.CreateEncodedSignature(string.Concat(rawHeader, ".", rawPayload), signingCredentials);
var rawData = rawHeader + "." + rawPayload + "." + rawSignature;
if (encryptingCredentials != null)
{
return(EncryptToken(rawData, encryptingCredentials));
}
else
{
return(rawData);
}
}
internal static SecurityKey GetSecurityKey(EncryptingCredentials encryptingCredentials, CryptoProviderFactory cryptoProviderFactory, out byte[] wrappedKey)
{
SecurityKey securityKey = null;
KeyWrapProvider kwProvider = null;
wrappedKey = null;
// if direct algorithm, look for support
if (JwtConstants.DirectKeyUseAlg.Equals(encryptingCredentials.Alg))
{
if (!cryptoProviderFactory.IsSupportedAlgorithm(encryptingCredentials.Enc, encryptingCredentials.Key))
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, LogHelper.MarkAsNonPII(encryptingCredentials.Enc), encryptingCredentials.Key)));
}
securityKey = encryptingCredentials.Key;
}
else
{
if (!cryptoProviderFactory.IsSupportedAlgorithm(encryptingCredentials.Alg, encryptingCredentials.Key))
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, LogHelper.MarkAsNonPII(encryptingCredentials.Alg), encryptingCredentials.Key)));
}
// only 128, 384 and 512 AesCbcHmac for CEK algorithm
if (SecurityAlgorithms.Aes128CbcHmacSha256.Equals(encryptingCredentials.Enc))
{
securityKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(256));
}
else if (SecurityAlgorithms.Aes192CbcHmacSha384.Equals(encryptingCredentials.Enc))
{
securityKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(384));
}
else if (SecurityAlgorithms.Aes256CbcHmacSha512.Equals(encryptingCredentials.Enc))
{
securityKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(512));
}
else
{
throw LogHelper.LogExceptionMessage(
new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10617, LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes128CbcHmacSha256), LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes192CbcHmacSha384), LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes256CbcHmacSha512), LogHelper.MarkAsNonPII(encryptingCredentials.Enc))));
}
kwProvider = cryptoProviderFactory.CreateKeyWrapProvider(encryptingCredentials.Key, encryptingCredentials.Alg);
wrappedKey = kwProvider.WrapKey(((SymmetricSecurityKey)securityKey).Key);
}
return(securityKey);
}
/// <summary>
/// Creates a JsonWebToken (JWS or JWE).
/// </summary>
/// <param name="payload">A JObject that represents the JWT token payload.</param>
/// <param name="signingCredentials">Defines the security key and algorithm that will be used to sign the JWT.</param>
/// <param name="encryptingCredentials">Defines the security key and algorithm that will be used to encrypt the JWT.</param>
/// <returns>A JWT in compact serialization format.</returns>
private string CreateJsonWebToken(JObject payload, SigningCredentials signingCredentials, EncryptingCredentials encryptingCredentials)
{
if (payload == null)
{
throw LogHelper.LogArgumentNullException(nameof(payload));
}
string rawHeader;
if (!JsonWebTokenManager.KeyToHeaderCache.TryGetValue(JsonWebTokenManager.GetHeaderCacheKey(signingCredentials), out rawHeader))
{
var header = signingCredentials == null ? new JObject() : new JObject
{
{ JwtHeaderParameterNames.Alg, signingCredentials.Algorithm },
{ JwtHeaderParameterNames.Kid, signingCredentials.Key.KeyId },
{ JwtHeaderParameterNames.Typ, JwtConstants.HeaderType }
};
rawHeader = Base64UrlEncoder.Encode(Encoding.UTF8.GetBytes(header.ToString(Newtonsoft.Json.Formatting.None)));
JsonWebTokenManager.KeyToHeaderCache.TryAdd(JsonWebTokenManager.GetHeaderCacheKey(signingCredentials), rawHeader);
}
string rawPayload = Base64UrlEncoder.Encode(Encoding.UTF8.GetBytes(payload.ToString(Newtonsoft.Json.Formatting.None)));
string rawSignature = signingCredentials == null ? string.Empty : JwtTokenUtilities.CreateEncodedSignature(string.Concat(rawHeader, ".", rawPayload), signingCredentials);
var rawData = rawHeader + "." + rawPayload + "." + rawSignature;
if (encryptingCredentials != null)
{
return(EncryptToken(rawData, encryptingCredentials));
}
else
{
return(rawData);
}
}
private string EncryptToken(string innerJwt, EncryptingCredentials encryptingCredentials)
{
var cryptoProviderFactory = encryptingCredentials.CryptoProviderFactory ?? encryptingCredentials.Key.CryptoProviderFactory;
if (cryptoProviderFactory == null)
{
throw LogHelper.LogExceptionMessage(new ArgumentException(LogMessages.IDX14104));
}
// if direct algorithm, look for support
if (JwtConstants.DirectKeyUseAlg.Equals(encryptingCredentials.Alg, StringComparison.Ordinal))
{
if (!cryptoProviderFactory.IsSupportedAlgorithm(encryptingCredentials.Enc, encryptingCredentials.Key))
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, encryptingCredentials.Enc, encryptingCredentials.Key)));
}
var header = new JObject();
if (!string.IsNullOrEmpty(encryptingCredentials.Alg))
{
header.Add(JwtHeaderParameterNames.Alg, encryptingCredentials.Alg);
}
if (!string.IsNullOrEmpty(encryptingCredentials.Enc))
{
header.Add(JwtHeaderParameterNames.Enc, encryptingCredentials.Enc);
}
if (!string.IsNullOrEmpty(encryptingCredentials.Key.KeyId))
{
header.Add(JwtHeaderParameterNames.Kid, encryptingCredentials.Key.KeyId);
}
header.Add(JwtHeaderParameterNames.Typ, JwtConstants.HeaderType);
var encryptionProvider = cryptoProviderFactory.CreateAuthenticatedEncryptionProvider(encryptingCredentials.Key, encryptingCredentials.Enc);
if (encryptionProvider == null)
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogMessages.IDX14103));
}
try
{
var rawHeader = Base64UrlEncoder.Encode(Encoding.UTF8.GetBytes(header.ToString(Newtonsoft.Json.Formatting.None)));
var encryptionResult = encryptionProvider.Encrypt(Encoding.UTF8.GetBytes(innerJwt), Encoding.ASCII.GetBytes(rawHeader));
return(string.Join(".", rawHeader, string.Empty, Base64UrlEncoder.Encode(encryptionResult.IV), Base64UrlEncoder.Encode(encryptionResult.Ciphertext), Base64UrlEncoder.Encode(encryptionResult.AuthenticationTag)));
}
catch (Exception ex)
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10616, encryptingCredentials.Enc, encryptingCredentials.Key), ex));
}
}
else
{
if (!cryptoProviderFactory.IsSupportedAlgorithm(encryptingCredentials.Alg, encryptingCredentials.Key))
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, encryptingCredentials.Alg, encryptingCredentials.Key)));
}
SymmetricSecurityKey symmetricKey = null;
// only 128, 384 and 512 AesCbcHmac for CEK algorithm
if (SecurityAlgorithms.Aes128CbcHmacSha256.Equals(encryptingCredentials.Enc, StringComparison.Ordinal))
{
symmetricKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(256));
}
else if (SecurityAlgorithms.Aes192CbcHmacSha384.Equals(encryptingCredentials.Enc, StringComparison.Ordinal))
{
symmetricKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(384));
}
else if (SecurityAlgorithms.Aes256CbcHmacSha512.Equals(encryptingCredentials.Enc, StringComparison.Ordinal))
{
symmetricKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(512));
}
else
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10617, SecurityAlgorithms.Aes128CbcHmacSha256, SecurityAlgorithms.Aes192CbcHmacSha384, SecurityAlgorithms.Aes256CbcHmacSha512, encryptingCredentials.Enc)));
}
var kwProvider = cryptoProviderFactory.CreateKeyWrapProvider(encryptingCredentials.Key, encryptingCredentials.Alg);
var wrappedKey = kwProvider.WrapKey(symmetricKey.Key);
var encryptionProvider = cryptoProviderFactory.CreateAuthenticatedEncryptionProvider(symmetricKey, encryptingCredentials.Enc);
if (encryptionProvider == null)
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogMessages.IDX14103));
}
try
{
var header = new JObject();
if (!string.IsNullOrEmpty(encryptingCredentials.Alg))
{
header.Add(JwtHeaderParameterNames.Alg, encryptingCredentials.Alg);
}
if (!string.IsNullOrEmpty(encryptingCredentials.Enc))
{
header.Add(JwtHeaderParameterNames.Enc, encryptingCredentials.Enc);
}
if (!string.IsNullOrEmpty(encryptingCredentials.Key.KeyId))
{
header.Add(JwtHeaderParameterNames.Kid, encryptingCredentials.Key.KeyId);
}
header.Add(JwtHeaderParameterNames.Typ, JwtConstants.HeaderType);
var rawHeader = Base64UrlEncoder.Encode(Encoding.UTF8.GetBytes(header.ToString(Newtonsoft.Json.Formatting.None)));
var encryptionResult = encryptionProvider.Encrypt(Encoding.UTF8.GetBytes(innerJwt), Encoding.ASCII.GetBytes(rawHeader));
return(string.Join(".", rawHeader, Base64UrlEncoder.Encode(wrappedKey), Base64UrlEncoder.Encode(encryptionResult.IV), Base64UrlEncoder.Encode(encryptionResult.Ciphertext), Base64UrlEncoder.Encode(encryptionResult.AuthenticationTag)));
}
catch (Exception ex)
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10616, encryptingCredentials.Enc, encryptingCredentials.Key), ex));
}
}
}