public string Decrypt(
string toDecrypt,
JweAlg alg,
JsonWebKey jsonWebKey)
{
return(PerformDecryption(toDecrypt, alg, jsonWebKey, bytes => bytes[0]));
}
public string Decrypt(
string toDecrypt,
JweAlg alg,
JsonWebKey jsonWebKey)
{
return(string.Empty);
}
public AesEncryptionResult Encrypt(
string toEncrypt,
JweAlg alg,
JweProtectedHeader protectedHeader,
JsonWebKey jsonWebKey)
{
return(PerformEncryption(toEncrypt, alg, protectedHeader, jsonWebKey, bytes => bytes[0]));
}
public string DecryptWithSymmetricPassword(
string toDecrypt,
JweAlg alg,
JsonWebKey jsonWebKey,
string password)
{
return(string.Empty);
}
public AesEncryptionResult Encrypt(
string toEncrypt,
JweAlg alg,
JweProtectedHeader protectedHeader,
JsonWebKey jsonWebKey)
{
return(null);
}
public AesEncryptionResult EncryptWithSymmetricPassword(
string toEncrypt,
JweAlg alg,
JweProtectedHeader protectedHeader,
JsonWebKey jsonWebKey,
string password)
{
return(null);
}
public byte[] DecryptContentEncryptionKey(
byte[] encryptedContentEncryptionKey,
JweAlg alg,
JsonWebKey jsonWebKey)
{
var algorithm = _mappingJweAlgToAlgorithms[alg];
return(algorithm.Decrypt(
encryptedContentEncryptionKey,
jsonWebKey));
}
private string PerformDecryption(
string toDecrypt,
JweAlg alg,
JsonWebKey jsonWebKey,
Func <byte[][], byte[]> callback)
{
try
{
var toDecryptSplitted = toDecrypt.Split('.');
var serializedProtectedHeader = toDecryptSplitted[0].Base64Decode();
var encryptedContentEncryptionKeyBytes = toDecryptSplitted[1].Base64DecodeBytes();
var ivBytes = toDecryptSplitted[2].Base64DecodeBytes();
var cipherText = toDecryptSplitted[3].Base64DecodeBytes();
var authenticationTag = toDecryptSplitted[4].Base64DecodeBytes();
var contentEncryptionKey = _aesEncryptionHelper.DecryptContentEncryptionKey(
encryptedContentEncryptionKeyBytes,
alg,
jsonWebKey);
var contentEncryptionKeySplitted = GetKeysFromContentEncryptionKey(contentEncryptionKey);
var hmacKey = callback(contentEncryptionKeySplitted);
var aesCbcKey = contentEncryptionKeySplitted[1];
// Encrypt the plain text & create cipher text.
var decrypted = _aesEncryptionHelper.DecryptWithAesAlgorithm(
cipherText,
aesCbcKey,
ivBytes);
// Calculate the additional authenticated data.
var aad = Encoding.UTF8.GetBytes(serializedProtectedHeader);
// Calculate the authentication tag.
var al = ByteManipulator.LongToBytes(aad.Length * 8);
var hmacInput = ByteManipulator.Concat(aad, ivBytes, cipherText, al);
var hmacValue = ComputeHmac(_keySize, hmacKey, hmacInput);
var newAuthenticationTag = ByteManipulator.SplitByteArrayInHalf(hmacValue)[0];
// Check if the authentication tags are equal other raise an exception.
if (!ByteManipulator.ConstantTimeEquals(newAuthenticationTag, authenticationTag))
{
// TODO : raise an exception.
return(string.Empty);
}
return(decrypted);
}
catch (Exception ex)
{
throw new Exception("invalid " + toDecrypt);
}
}
public string GenerateJwe(
string entry,
JweAlg alg,
JweEnc enc,
JsonWebKey jsonWebKey)
{
return(PerformeJweGeneration(entry, alg, enc, jsonWebKey, (encryption, jweProtectedHeader) => encryption.Encrypt(entry,
alg,
jweProtectedHeader,
jsonWebKey)
));
}
public string DecryptWithSymmetricPassword(
string toDecrypt,
JweAlg alg,
JsonWebKey jsonWebKey,
string password)
{
var callback = new Func <byte[][], byte[]>(bytes =>
{
var result = Encoding.UTF8.GetBytes(password);
return(result);
});
return(PerformDecryption(toDecrypt, alg, jsonWebKey, callback));
}
public string GenerateJweByUsingSymmetricPassword(
string entry,
JweAlg alg,
JweEnc enc,
JsonWebKey jsonWebKey,
string password)
{
return(PerformeJweGeneration(entry, alg, enc, jsonWebKey, (encryption, jweProtectedHeader) => encryption.EncryptWithSymmetricPassword(entry,
alg,
jweProtectedHeader,
jsonWebKey,
password)
));
}
public AesEncryptionResult EncryptWithSymmetricPassword(
string toEncrypt,
JweAlg alg,
JweProtectedHeader protectedHeader,
JsonWebKey jsonWebKey,
string password)
{
var callback = new Func <byte[][], byte[]>(bytes =>
{
var result = Encoding.UTF8.GetBytes(password);
return(result);
});
return(PerformEncryption(toEncrypt, alg, protectedHeader, jsonWebKey, callback));
}
private AesEncryptionResult PerformEncryption(
string toEncrypt,
JweAlg alg,
JweProtectedHeader protectedHeader,
JsonWebKey jsonWebKey,
Func <byte[][], byte[]> callback)
{
// Get the content encryption key
var contentEncryptionKey = _aesEncryptionHelper.GenerateContentEncryptionKey(_keySize);
// Encrypt the content encryption key
var encryptedContentEncryptionKey = _aesEncryptionHelper.EncryptContentEncryptionKey(
contentEncryptionKey,
alg,
jsonWebKey);
var contentEncryptionKeySplitted = GetKeysFromContentEncryptionKey(contentEncryptionKey);
var hmacKey = callback(contentEncryptionKeySplitted);
var aesCbcKey = contentEncryptionKeySplitted[1];
var iv = ByteManipulator.GenerateRandomBytes(_keySize / 2);
// Encrypt the plain text & create cipher text.
var cipherText = _aesEncryptionHelper.EncryptWithAesAlgorithm(
toEncrypt,
aesCbcKey,
iv);
// Calculate the additional authenticated data.
var serializedProtectedHeader = protectedHeader.SerializeWithDataContract();
var aad = Encoding.UTF8.GetBytes(serializedProtectedHeader);
// Calculate the authentication tag.
var al = ByteManipulator.LongToBytes(aad.Length * 8);
var hmacInput = ByteManipulator.Concat(aad, iv, cipherText, al);
var hmacValue = ComputeHmac(_keySize, hmacKey, hmacInput);
var authenticationTag = ByteManipulator.SplitByteArrayInHalf(hmacValue)[0];
return(new AesEncryptionResult
{
Iv = iv,
CipherText = cipherText,
EncryptedContentEncryptionKey = encryptedContentEncryptionKey,
AuthenticationTag = authenticationTag
});
}
public async Task <string> EncryptAsync(string jwe, JweAlg jweAlg, JweEnc jweEnc)
{
var jsonWebKey = await GetJsonWebKey(
jweAlg.ToAllAlg(),
KeyOperations.Encrypt,
Use.Enc);
if (jsonWebKey == null)
{
return(jwe);
}
return(_jweGenerator.GenerateJwe(
jwe,
jweAlg,
jweEnc,
jsonWebKey));
}
private string PerformeJweGeneration(
string entry,
JweAlg alg,
JweEnc enc,
JsonWebKey jsonWebKey,
Func <IEncryption, JweProtectedHeader, AesEncryptionResult> callback)
{
var algo = Constants.MappingNameToJweAlgEnum
.SingleOrDefault(k => k.Value == alg);
var encryption = Constants.MappingNameToJweEncEnum
.SingleOrDefault(k => k.Value == enc);
if (jsonWebKey == null ||
algo.IsDefault() ||
encryption.IsDefault())
{
return(entry);
}
// Construct the JWE protected header
var jweProtectedHeader = new JweProtectedHeader
{
Alg = algo.Key,
Enc = encryption.Key,
Kid = jsonWebKey.Kid
};
var algorithm = _jweHelper.GetEncryptor(enc);
var encryptionResult = callback(
algorithm,
jweProtectedHeader);
var base64EncodedjweProtectedHeaderSerialized = jweProtectedHeader.SerializeWithDataContract().Base64Encode();
var base64EncodedJweEncryptedKey = encryptionResult.EncryptedContentEncryptionKey.Base64EncodeBytes();
var base64EncodedIv = encryptionResult.Iv.Base64EncodeBytes();
var base64EncodedCipherText = encryptionResult.CipherText.Base64EncodeBytes();
var base64EncodedAuthenticationTag = encryptionResult.AuthenticationTag.Base64EncodeBytes();
return(base64EncodedjweProtectedHeaderSerialized + "." +
base64EncodedJweEncryptedKey + "." +
base64EncodedIv + "." +
base64EncodedCipherText + "." +
base64EncodedAuthenticationTag);
}
public static AllAlg ToAllAlg(this JweAlg alg)
{
var name = Enum.GetName(typeof(JweAlg), alg);
return((AllAlg)Enum.Parse(typeof(AllAlg), name));
}
