/// <summary> /// Adds a specific <see cref="SecurityKey"/> to decrypt /// authorization requests received by the OpenID Connect server. /// </summary> /// <param name="credentials">The options used to configure the OpenID Connect server.</param> /// <param name="key">The key used to sign security tokens issued by the server.</param> /// <returns>The encryption credentials.</returns> public static IList <EncryptingCredentials> AddKey( [NotNull] this IList <EncryptingCredentials> credentials, [NotNull] SecurityKey key) { if (credentials == null) { throw new ArgumentNullException(nameof(credentials)); } if (key == null) { throw new ArgumentNullException(nameof(key)); } if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaOaepKeyWrap)) { credentials.Add(new EncryptingCredentials(key, key.GetKeyIdentifier(), SecurityAlgorithms.RsaOaepKeyWrap)); return(credentials); } else if (key.IsSupportedAlgorithm(SecurityAlgorithms.Aes256Encryption)) { credentials.Add(new EncryptingCredentials(key, key.GetKeyIdentifier(), SecurityAlgorithms.Aes256Encryption)); return(credentials); } throw new InvalidOperationException("A key wrap algorithm cannot be automatically inferred from the encryption key. " + "Consider using 'options.EncryptingCredentials.Add(EncryptingCredentials)' instead."); }
/// <summary> /// Adds a specific <see cref="SecurityKey"/> to sign the tokens issued by the OpenID Connect server. /// </summary> /// <param name="credentials">The options used to configure the OpenID Connect server.</param> /// <param name="key">The key used to sign security tokens issued by the server.</param> /// <returns>The signing credentials.</returns> public static IList <SigningCredentials> AddKey( [NotNull] this IList <SigningCredentials> credentials, [NotNull] SecurityKey key) { if (credentials == null) { throw new ArgumentNullException(nameof(credentials)); } if (key == null) { throw new ArgumentNullException(nameof(key)); } // If the signing key is an asymmetric security key, ensure it has a private key. if (key is AsymmetricSecurityKey asymmetricSecurityKey && asymmetricSecurityKey.PrivateKeyStatus == PrivateKeyStatus.DoesNotExist) { throw new InvalidOperationException("The asymmetric signing key doesn't contain the required private key."); } // When no key identifier can be retrieved from the security key, a value is automatically // inferred from the hexadecimal representation of the certificate thumbprint (SHA-1) // when the key is bound to a X.509 certificate or from the public part of the signing key. if (string.IsNullOrEmpty(key.KeyId)) { key.KeyId = key.GetKeyIdentifier(); } if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256)); return(credentials); } else if (key.IsSupportedAlgorithm(SecurityAlgorithms.HmacSha256)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.HmacSha256)); return(credentials); } #if SUPPORTS_ECDSA // Note: ECDSA algorithms are bound to specific curves and must be treated separately. else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha256)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256)); return(credentials); } else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha384)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha384)); return(credentials); } else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha512)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha512)); return(credentials); } #else else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha256) || key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha384) || key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha512)) { throw new PlatformNotSupportedException("ECDSA signing keys are not supported on this platform."); } #endif throw new InvalidOperationException("A signature algorithm cannot be automatically inferred from the signing key. " + "Consider using 'options.SigningCredentials.Add(SigningCredentials)' instead."); }
/// <summary> /// Adds a specific <see cref="SecurityKey"/> to sign the tokens issued by the OpenID Connect server. /// </summary> /// <param name="credentials">The options used to configure the OpenID Connect server.</param> /// <param name="key">The key used to sign security tokens issued by the server.</param> /// <returns>The signing credentials.</returns> public static IList <SigningCredentials> AddKey( [NotNull] this IList <SigningCredentials> credentials, [NotNull] SecurityKey key) { if (credentials == null) { throw new ArgumentNullException(nameof(credentials)); } if (key == null) { throw new ArgumentNullException(nameof(key)); } // If the signing key is an asymmetric security key, ensure it has a private key. if (key is AsymmetricSecurityKey && !((AsymmetricSecurityKey)key).HasPrivateKey()) { throw new InvalidOperationException("The asymmetric signing key doesn't contain the required private key."); } if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.Sha256Digest, key.GetKeyIdentifier())); return(credentials); } else if (key.IsSupportedAlgorithm(SecurityAlgorithms.HmacSha256Signature)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest, key.GetKeyIdentifier())); return(credentials); } throw new InvalidOperationException("A signature algorithm cannot be automatically inferred from the signing key. " + "Consider using 'options.SigningCredentials.Add(SigningCredentials)' instead."); }
/// <summary> /// Adds a specific <see cref="SecurityKey"/> to sign the tokens issued by the OpenID Connect server. /// </summary> /// <param name="credentials">The options used to configure the OpenID Connect server.</param> /// <param name="key">The key used to sign security tokens issued by the server.</param> /// <returns>The signing credentials.</returns> public static IList <SigningCredentials> AddKey( [NotNull] this IList <SigningCredentials> credentials, [NotNull] SecurityKey key) { if (credentials == null) { throw new ArgumentNullException(nameof(credentials)); } if (key == null) { throw new ArgumentNullException(nameof(key)); } // When no key identifier can be retrieved from the security key, a value is automatically // inferred from the hexadecimal representation of the certificate thumbprint (SHA-1) // when the key is bound to a X.509 certificate or from the public part of the signing key. if (string.IsNullOrEmpty(key.KeyId)) { key.KeyId = key.GetKeyIdentifier(); } if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256Signature)); return(credentials); } else if (key.IsSupportedAlgorithm(SecurityAlgorithms.HmacSha256Signature)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.HmacSha256Signature)); return(credentials); } #if SUPPORTS_ECDSA // Note: ECDSA algorithms are bound to specific curves and must be treated separately. else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha256Signature)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256Signature)); return(credentials); } else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha384Signature)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha384Signature)); return(credentials); } else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha512Signature)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha512Signature)); return(credentials); } #endif throw new InvalidOperationException("A signature algorithm cannot be automatically inferred from the signing key. " + "Consider using 'options.SigningCredentials.Add(SigningCredentials)' instead."); }
/// <summary> /// Adds a specific <see cref="SecurityKey"/> to sign the tokens issued by the OpenID Connect server. /// </summary> /// <param name="credentials">The options used to configure the OpenID Connect server.</param> /// <param name="key">The key used to sign security tokens issued by the server.</param> /// <returns>The signing credentials.</returns> public static IList <SigningCredentials> AddKey( [NotNull] this IList <SigningCredentials> credentials, [NotNull] SecurityKey key) { if (credentials == null) { throw new ArgumentNullException(nameof(credentials)); } if (key == null) { throw new ArgumentNullException(nameof(key)); } if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.Sha256Digest, key.GetKeyIdentifier())); return(credentials); } else if (key.IsSupportedAlgorithm(SecurityAlgorithms.HmacSha256Signature)) { credentials.Add(new SigningCredentials(key, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest, key.GetKeyIdentifier())); return(credentials); } throw new InvalidOperationException("A signature algorithm cannot be automatically inferred from the signing key. " + "Consider using 'options.SigningCredentials.Add(SigningCredentials)' instead."); }