internal static IPrivateKeyProvider Create(
IPublicKeyDataProvider publicKeyDataProvider,
TimeSpan keyLifetime,
TimeSpan keyRotationPeriod,
IDateTimeProvider dateTimeProvider = null
) {
if( keyLifetime < keyRotationPeriod ) {
throw new ArgumentException( "Private key lifetime must exceed the rotation period", "keyLifetime" );
}
dateTimeProvider = dateTimeProvider ?? new DateTimeProvider();
ID2LSecurityTokenFactory d2lSecurityTokenFactory = new D2LSecurityTokenFactory(
dateTimeProvider,
keyLifetime
);
IPrivateKeyProvider privateKeyProvider = new RsaPrivateKeyProvider(
d2lSecurityTokenFactory
);
privateKeyProvider = new SavingPrivateKeyProvider(
privateKeyProvider,
PublicKeyDataProviderFactory.CreateInternal( publicKeyDataProvider )
);
privateKeyProvider = new RotatingPrivateKeyProvider(
privateKeyProvider,
dateTimeProvider,
keyRotationPeriod
);
return privateKeyProvider;
}
/// <summary>
/// Creates an <see cref="ITokenSigner"/> instance which saves public keys to the provided <see cref="IPublicKeyDataProvider"/>
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <param name="curve">The curve to use</param>
/// <param name="keyLifetime">The max time a private key and its tokens may be used for</param>
/// <param name="keyRotationPeriod">How often to switch to signing with a new private key. The difference between this and <paramref name="keyLifetime"/> is the maximum token lifetime.</param>
/// <returns>A new <see cref="ITokenSigner"/></returns>
public static ITokenSigner Create(
IPublicKeyDataProvider publicKeyDataProvider,
Curve curve,
TimeSpan keyLifetime,
TimeSpan keyRotationPeriod
) {
CngAlgorithm algorithm;
switch( curve ) {
case Curve.P521: {
algorithm = CngAlgorithm.ECDsaP521;
break;
}
case Curve.P384: {
algorithm = CngAlgorithm.ECDsaP384;
break;
}
case Curve.P256:
default: {
algorithm = CngAlgorithm.ECDsaP256;
break;
}
}
IPrivateKeyProvider privateKeyProvider = EcDsaPrivateKeyProvider
.Factory
.Create(
publicKeyDataProvider,
keyLifetime,
keyRotationPeriod,
algorithm
);
var tokenSigner = new TokenSigner( privateKeyProvider );
return tokenSigner;
}
public SavingPrivateKeyProvider(
IPrivateKeyProvider inner,
ISanePublicKeyDataProvider publicKeyDataProvider
) {
m_inner = inner;
m_publicKeyDataProvider = publicKeyDataProvider;
}
protected override ITokenSigner GetTokenSigner(IPublicKeyDataProvider p)
{
return(EcDsaTokenSignerFactory.Create(
p,
EcDsaTokenSignerFactory.Curve.P521
));
}
public ExpiringPublicKeyDataProvider(
IPublicKeyDataProvider inner,
IDateTimeProvider dateTimeProvider
)
{
m_inner = inner ?? throw new ArgumentNullException(nameof(inner));
m_dateTimeProvider = dateTimeProvider ?? throw new ArgumentException(nameof(dateTimeProvider));
}
public LocalPublicKeyProvider(
ISanePublicKeyDataProvider publicKeyDataProvider,
IInMemoryPublicKeyCache cache
)
{
m_publicKeyDataProvider = publicKeyDataProvider ?? throw new ArgumentNullException(nameof(publicKeyDataProvider));
m_cache = cache ?? throw new ArgumentNullException(nameof(cache));
}
public SavingPrivateKeyProvider(
IPrivateKeyProvider inner,
ISanePublicKeyDataProvider publicKeyDataProvider
)
{
m_inner = inner;
m_publicKeyDataProvider = publicKeyDataProvider;
}
public ExpiringPublicKeyDataProvider(
IPublicKeyDataProvider inner
) {
if( inner == null ) {
throw new ArgumentNullException( "inner" );
}
m_inner = inner;
}
/// <summary>
/// Creates an <see cref="ITokenSigner"/> instance which saves public keys to the provided <see cref="IPublicKeyDataProvider"/>
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <returns>A new <see cref="ITokenSigner"/></returns>
public static ITokenSigner Create(
IPublicKeyDataProvider publicKeyDataProvider
) {
return Create(
publicKeyDataProvider,
keyLifetime: Constants.DEFAULT_KEY_LIFETIME,
keyRotationPeriod: Constants.DEFAULT_KEY_ROTATION_PERIOD
);
}
/// <summary>
/// Creates an <see cref="ITokenSigner"/> instance which saves public keys to the provided <see cref="IPublicKeyDataProvider"/>
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <returns>A new <see cref="ITokenSigner"/></returns>
public static ITokenSigner Create(
IPublicKeyDataProvider publicKeyDataProvider
)
{
return(Create(
publicKeyDataProvider,
keyLifetime: Constants.DEFAULT_KEY_LIFETIME,
keyRotationPeriod: Constants.DEFAULT_KEY_ROTATION_PERIOD
));
}
/// <summary>
/// Creates an <see cref="ITokenSigner"/> instance which saves public keys to the provided <see cref="IPublicKeyDataProvider"/>
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <param name="keyLifetime">The max time a private key and its tokens may be used for</param>
/// <param name="keyRotationPeriod">How often to switch to signing with a new private key. The difference between this and <paramref name="keyLifetime"/> is the maximum token lifetime.</param>
/// <returns>A new <see cref="ITokenSigner"/></returns>
public static ITokenSigner Create(
IPublicKeyDataProvider publicKeyDataProvider,
TimeSpan keyLifetime,
TimeSpan keyRotationPeriod
) {
return RsaTokenSignerFactory.Create(
publicKeyDataProvider,
keyLifetime: keyLifetime,
keyRotationPeriod: keyRotationPeriod
);
}
/// <summary>
/// Creates an <see cref="IAccessTokenValidator"/> instance backed by local public keys.
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <returns>A new <see cref="IAccessTokenValidator"/></returns>
public static IAccessTokenValidator CreateLocalValidator(
IPublicKeyDataProvider publicKeyDataProvider
) {
var publicKeyProvider = new LocalPublicKeyProvider(
PublicKeyDataProviderFactory.CreateInternal( publicKeyDataProvider ),
new InMemoryPublicKeyCache()
);
var result = new AccessTokenValidator( publicKeyProvider );
return result;
}
/// <summary>
/// Creates an <see cref="ITokenSigner"/> instance which saves public keys to the provided <see cref="IPublicKeyDataProvider"/>
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <param name="keyLifetime">The max time a private key and its tokens may be used for</param>
/// <param name="keyRotationPeriod">How often to switch to signing with a new private key. The difference between this and <paramref name="keyLifetime"/> is the maximum token lifetime.</param>
/// <returns>A new <see cref="ITokenSigner"/></returns>
public static ITokenSigner Create(
IPublicKeyDataProvider publicKeyDataProvider,
TimeSpan keyLifetime,
TimeSpan keyRotationPeriod
)
{
return(RsaTokenSignerFactory.Create(
publicKeyDataProvider,
keyLifetime: keyLifetime,
keyRotationPeriod: keyRotationPeriod
));
}
public void SetUp() {
m_mockPublicKeyDataProvider = new Mock<IPublicKeyDataProvider>( MockBehavior.Strict );
m_allTheKeys = new List<JsonWebKey>();
m_publicKeyDataProvider = new ExpiringPublicKeyDataProvider(
m_mockPublicKeyDataProvider.Object
);
m_mockPublicKeyDataProvider
.Setup( pkdp => pkdp.GetAllAsync() )
.ReturnsAsync( m_allTheKeys );
}
/// <summary>
/// Creates an <see cref="IAccessTokenValidator"/> instance backed by local public keys.
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <returns>A new <see cref="IAccessTokenValidator"/></returns>
public static IAccessTokenValidator CreateLocalValidator(
IPublicKeyDataProvider publicKeyDataProvider
)
{
var publicKeyProvider = new LocalPublicKeyProvider(
PublicKeyDataProviderFactory.CreateInternal(publicKeyDataProvider),
new InMemoryPublicKeyCache()
);
var result = new AccessTokenValidator(publicKeyProvider);
return(result);
}
internal static ISanePublicKeyDataProvider CreateInternal(
IPublicKeyDataProvider publicKeyDataProvider
) {
if( publicKeyDataProvider == null ) {
throw new ArgumentNullException( "publicKeyDataProvider" );
}
ISanePublicKeyDataProvider saneProvider = publicKeyDataProvider as ISanePublicKeyDataProvider;
if( saneProvider == null ) {
saneProvider = new ExpiringPublicKeyDataProvider( publicKeyDataProvider );
}
return saneProvider;
}
public LocalPublicKeyProvider(
ISanePublicKeyDataProvider publicKeyDataProvider,
IInMemoryPublicKeyCache cache
) {
if( publicKeyDataProvider == null ) {
throw new ArgumentNullException( "publicKeyDataProvider" );
}
if( cache == null ) {
throw new ArgumentNullException( "cache" );
}
m_publicKeyDataProvider = publicKeyDataProvider;
m_cache = cache;
}
/// <summary>
/// Creates an <see cref="ITokenSigner"/> instance which saves public keys to the provided <see cref="IPublicKeyDataProvider"/>
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <param name="keyLifetime">The max time a private key and its tokens may be used for</param>
/// <param name="keyRotationPeriod">How often to switch to signing with a new private key. The difference between this and <paramref name="keyLifetime"/> is the maximum token lifetime.</param>
/// <returns>A new <see cref="ITokenSigner"/></returns>
public static ITokenSigner Create(
IPublicKeyDataProvider publicKeyDataProvider,
TimeSpan keyLifetime,
TimeSpan keyRotationPeriod
) {
IPrivateKeyProvider privateKeyProvider = RsaPrivateKeyProvider
.Factory
.Create(
publicKeyDataProvider,
keyLifetime,
keyRotationPeriod
);
var tokenSigner = new TokenSigner( privateKeyProvider );
return tokenSigner;
}
public void SetUp() {
Mock<IAuthServiceClient> clientMock = new Mock<IAuthServiceClient>();
clientMock
.Setup( x => x.ProvisionAccessTokenAsync( It.IsAny<string>(), It.IsAny<IEnumerable<Scope>>() ) )
.Callback<string, IEnumerable<Scope>>( ( assertion, _ ) => {
var tokenHandler = new JwtSecurityTokenHandler();
m_actualAssertion = (JwtSecurityToken)tokenHandler.ReadToken( assertion );
} )
.ReturnsAsync( null );
#pragma warning disable 618
m_publicKeyDataProvider = new InMemoryPublicKeyDataProvider();
#pragma warning restore 618
m_tokenSigner = RsaTokenSignerFactory.Create( m_publicKeyDataProvider );
m_accessTokenProvider = new AccessTokenProvider( m_tokenSigner, clientMock.Object );
}
public LocalPublicKeyProvider(
ISanePublicKeyDataProvider publicKeyDataProvider,
IInMemoryPublicKeyCache cache
)
{
if (publicKeyDataProvider == null)
{
throw new ArgumentNullException("publicKeyDataProvider");
}
if (cache == null)
{
throw new ArgumentNullException("cache");
}
m_publicKeyDataProvider = publicKeyDataProvider;
m_cache = cache;
}
internal static ISanePublicKeyDataProvider CreateInternal(
IPublicKeyDataProvider publicKeyDataProvider
)
{
if (publicKeyDataProvider == null)
{
throw new ArgumentNullException("publicKeyDataProvider");
}
ISanePublicKeyDataProvider saneProvider = publicKeyDataProvider as ISanePublicKeyDataProvider;
if (saneProvider == null)
{
saneProvider = new ExpiringPublicKeyDataProvider(publicKeyDataProvider, DateTimeProvider.Instance);
}
return(saneProvider);
}
/// <summary>
/// Creates an <see cref="ITokenSigner"/> instance which saves public keys to the provided <see cref="IPublicKeyDataProvider"/>
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <param name="keyLifetime">The max time a private key and its tokens may be used for</param>
/// <param name="keyRotationPeriod">How often to switch to signing with a new private key. The difference between this and <paramref name="keyLifetime"/> is the maximum token lifetime.</param>
/// <returns>A new <see cref="ITokenSigner"/></returns>
public static ITokenSigner Create(
IPublicKeyDataProvider publicKeyDataProvider,
TimeSpan keyLifetime,
TimeSpan keyRotationPeriod
)
{
IPrivateKeyProvider privateKeyProvider = RsaPrivateKeyProvider
.Factory
.Create(
publicKeyDataProvider,
keyLifetime,
keyRotationPeriod
);
var tokenSigner = new TokenSigner(privateKeyProvider);
return(tokenSigner);
}
public ExpiringPublicKeyDataProvider(
IPublicKeyDataProvider inner,
IDateTimeProvider dateTimeProvider
)
{
if (inner == null)
{
throw new ArgumentNullException("inner");
}
if (dateTimeProvider == null)
{
throw new ArgumentException(nameof(dateTimeProvider));
}
m_inner = inner;
m_dateTimeProvider = dateTimeProvider;
}
public void SetUp()
{
m_mockPublicKeyDataProvider = new Mock <IPublicKeyDataProvider>(MockBehavior.Strict);
var mockDateTimeProvider = new Mock <IDateTimeProvider>(MockBehavior.Strict);
mockDateTimeProvider.SetupGet(x => x.UtcNow).Returns(NOW);
m_allTheKeys = new List <JsonWebKey>();
m_publicKeyDataProvider = new ExpiringPublicKeyDataProvider(
m_mockPublicKeyDataProvider.Object,
mockDateTimeProvider.Object
);
m_mockPublicKeyDataProvider
.Setup(pkdp => pkdp.GetAllAsync())
.ReturnsAsync(m_allTheKeys);
}
public void SetUp()
{
Mock <IAuthServiceClient> clientMock = new Mock <IAuthServiceClient>();
clientMock
.Setup(x => x.ProvisionAccessTokenAsync(It.IsAny <string>(), It.IsAny <IEnumerable <Scope> >()))
.Callback <string, IEnumerable <Scope> >((assertion, _) => {
var tokenHandler = new JwtSecurityTokenHandler();
m_actualAssertion = ( JwtSecurityToken )tokenHandler.ReadToken(assertion);
})
.ReturnsAsync(value: null);
#pragma warning disable 618
m_publicKeyDataProvider = new InMemoryPublicKeyDataProvider();
#pragma warning restore 618
m_tokenSigner = RsaTokenSignerFactory.Create(m_publicKeyDataProvider);
m_accessTokenProvider = new AccessTokenProvider(m_tokenSigner, clientMock.Object);
}
/// <summary>
/// Creates an <see cref="ITokenSigner"/> instance which saves public keys to the provided <see cref="IPublicKeyDataProvider"/>
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <param name="curve">The curve to use</param>
/// <param name="keyLifetime">The max time a private key and its tokens may be used for</param>
/// <param name="keyRotationPeriod">How often to switch to signing with a new private key. The difference between this and <paramref name="keyLifetime"/> is the maximum token lifetime.</param>
/// <returns>A new <see cref="ITokenSigner"/></returns>
public static ITokenSigner Create(
IPublicKeyDataProvider publicKeyDataProvider,
Curve curve,
TimeSpan keyLifetime,
TimeSpan keyRotationPeriod
)
{
ECCurve curveInternal;
switch (curve)
{
case Curve.P521: {
curveInternal = ECCurve.NamedCurves.nistP256;
break;
}
case Curve.P384: {
curveInternal = ECCurve.NamedCurves.nistP384;
break;
}
case Curve.P256:
default: {
curveInternal = ECCurve.NamedCurves.nistP521;
break;
}
}
IPrivateKeyProvider privateKeyProvider = EcDsaPrivateKeyProvider
.Factory
.Create(
publicKeyDataProvider,
keyLifetime,
keyRotationPeriod,
curveInternal
);
var tokenSigner = new TokenSigner(privateKeyProvider);
return(tokenSigner);
}
/// <summary>
/// Creates an <see cref="ITokenSigner"/> instance which saves public keys to the provided <see cref="IPublicKeyDataProvider"/>
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <param name="curve">The curve to use</param>
/// <param name="keyLifetime">The max time a private key and its tokens may be used for</param>
/// <param name="keyRotationPeriod">How often to switch to signing with a new private key. The difference between this and <paramref name="keyLifetime"/> is the maximum token lifetime.</param>
/// <returns>A new <see cref="ITokenSigner"/></returns>
public static ITokenSigner Create(
IPublicKeyDataProvider publicKeyDataProvider,
Curve curve,
TimeSpan keyLifetime,
TimeSpan keyRotationPeriod
)
{
CngAlgorithm algorithm;
switch (curve)
{
case Curve.P521: {
algorithm = CngAlgorithm.ECDsaP521;
break;
}
case Curve.P384: {
algorithm = CngAlgorithm.ECDsaP384;
break;
}
case Curve.P256:
default: {
algorithm = CngAlgorithm.ECDsaP256;
break;
}
}
IPrivateKeyProvider privateKeyProvider = EcDsaPrivateKeyProvider
.Factory
.Create(
publicKeyDataProvider,
keyLifetime,
keyRotationPeriod,
algorithm
);
var tokenSigner = new TokenSigner(privateKeyProvider);
return(tokenSigner);
}
internal static IPrivateKeyProvider Create(
IPublicKeyDataProvider publicKeyDataProvider,
TimeSpan keyLifetime,
TimeSpan keyRotationPeriod,
CngAlgorithm algorithm,
IDateTimeProvider dateTimeProvider = null
)
{
if (keyLifetime < keyRotationPeriod)
{
throw new ArgumentException("Private key lifetime must exceed the rotation period", "keyLifetime");
}
dateTimeProvider = dateTimeProvider ?? DateTimeProvider.Instance;
ID2LSecurityTokenFactory d2lSecurityTokenFactory = new D2LSecurityTokenFactory(
dateTimeProvider,
keyLifetime
);
IPrivateKeyProvider privateKeyProvider = new EcDsaPrivateKeyProvider(
d2lSecurityTokenFactory,
algorithm
);
privateKeyProvider = new SavingPrivateKeyProvider(
privateKeyProvider,
PublicKeyDataProviderFactory.CreateInternal(publicKeyDataProvider)
);
privateKeyProvider = new RotatingPrivateKeyProvider(
privateKeyProvider,
dateTimeProvider,
keyRotationPeriod
);
return(privateKeyProvider);
}
/// <summary>
/// Creates an <see cref="ITokenSigner"/> instance which saves public keys to the provided <see cref="IPublicKeyDataProvider"/>
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <returns>A new <see cref="ITokenSigner"/></returns>
public static ITokenSigner Create(
IPublicKeyDataProvider publicKeyDataProvider
)
{
return(RsaTokenSignerFactory.Create(publicKeyDataProvider));
}
/// <summary>
/// Factory method for creating verified <see cref="IPublicKeyDataProvider"/> instances.
/// </summary>
/// <param name="publicKeyDataProvider">Local implementation of <see cref="IPublicKeyDataProvider"/></param>
/// <returns>A new <see cref="IPublicKeyDataProvider"/></returns>
public static IPublicKeyDataProvider Create(
IPublicKeyDataProvider publicKeyDataProvider
)
{
return(CreateInternal(publicKeyDataProvider));
}
public void SetUp() {
#pragma warning disable 618
m_publicKeyDataProvider = new InMemoryPublicKeyDataProvider();
#pragma warning restore 618
}
protected override ITokenSigner GetTokenSigner(IPublicKeyDataProvider p)
{
return(RsaTokenSignerFactory.Create(p));
}
public void SetUp()
{
#pragma warning disable 618
m_publicKeyDataProvider = new InMemoryPublicKeyDataProvider();
#pragma warning restore 618
}
protected abstract ITokenSigner GetTokenSigner( IPublicKeyDataProvider p );
protected abstract ITokenSigner GetTokenSigner(IPublicKeyDataProvider p);
protected override ITokenSigner GetTokenSigner( IPublicKeyDataProvider p ) {
return RsaTokenSignerFactory.Create( p );
}
/// <summary>
/// Factory method for creating verified <see cref="IPublicKeyDataProvider"/> instances.
/// </summary>
/// <param name="publicKeyDataProvider">Local implementation of <see cref="IPublicKeyDataProvider"/></param>
/// <returns>A new <see cref="IPublicKeyDataProvider"/></returns>
public static IPublicKeyDataProvider Create(
IPublicKeyDataProvider publicKeyDataProvider
) {
return CreateInternal( publicKeyDataProvider );
}
/// <summary>
/// Creates an <see cref="ITokenSigner"/> instance which saves public keys to the provided <see cref="IPublicKeyDataProvider"/>
/// </summary>
/// <param name="publicKeyDataProvider">The <see cref="IPublicKeyDataProvider"/> for the local service</param>
/// <returns>A new <see cref="ITokenSigner"/></returns>
public static ITokenSigner Create(
IPublicKeyDataProvider publicKeyDataProvider
) {
return RsaTokenSignerFactory.Create( publicKeyDataProvider );
}
protected override ITokenSigner GetTokenSigner( IPublicKeyDataProvider p ) {
return EcDsaTokenSignerFactory.Create(
p,
EcDsaTokenSignerFactory.Curve.P384
);
}
