/// <summary>
/// Adds a specific <see cref="SecurityKey"/> to decrypt
/// authorization requests received by the OpenID Connect server.
/// </summary>
/// <param name="credentials">The options used to configure the OpenID Connect server.</param>
/// <param name="key">The key used to sign security tokens issued by the server.</param>
/// <returns>The encryption credentials.</returns>
public static IList <EncryptingCredentials> AddKey(
[NotNull] this IList <EncryptingCredentials> credentials, [NotNull] SecurityKey key)
{
if (credentials == null)
{
throw new ArgumentNullException(nameof(credentials));
}
if (key == null)
{
throw new ArgumentNullException(nameof(key));
}
if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaOaepKeyWrap))
{
credentials.Add(new EncryptingCredentials(key, key.GetKeyIdentifier(), SecurityAlgorithms.RsaOaepKeyWrap));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.Aes256Encryption))
{
credentials.Add(new EncryptingCredentials(key, key.GetKeyIdentifier(), SecurityAlgorithms.Aes256Encryption));
return(credentials);
}
throw new InvalidOperationException("A key wrap algorithm cannot be automatically inferred from the encryption key. " +
"Consider using 'options.EncryptingCredentials.Add(EncryptingCredentials)' instead.");
}
/// <summary>
/// Adds a specific <see cref="SecurityKey"/> to sign the tokens issued by the OpenID Connect server.
/// </summary>
/// <param name="credentials">The options used to configure the OpenID Connect server.</param>
/// <param name="key">The key used to sign security tokens issued by the server.</param>
/// <returns>The signing credentials.</returns>
public static IList <SigningCredentials> AddKey(
[NotNull] this IList <SigningCredentials> credentials, [NotNull] SecurityKey key)
{
if (credentials == null)
{
throw new ArgumentNullException(nameof(credentials));
}
if (key == null)
{
throw new ArgumentNullException(nameof(key));
}
// If the signing key is an asymmetric security key, ensure it has a private key.
if (key is AsymmetricSecurityKey asymmetricSecurityKey &&
asymmetricSecurityKey.PrivateKeyStatus == PrivateKeyStatus.DoesNotExist)
{
throw new InvalidOperationException("The asymmetric signing key doesn't contain the required private key.");
}
// When no key identifier can be retrieved from the security key, a value is automatically
// inferred from the hexadecimal representation of the certificate thumbprint (SHA-1)
// when the key is bound to a X.509 certificate or from the public part of the signing key.
if (string.IsNullOrEmpty(key.KeyId))
{
key.KeyId = key.GetKeyIdentifier();
}
if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.HmacSha256))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.HmacSha256));
return(credentials);
}
#if SUPPORTS_ECDSA
// Note: ECDSA algorithms are bound to specific curves and must be treated separately.
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha256))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha384))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha384));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha512))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha512));
return(credentials);
}
#else
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha256) ||
key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha384) ||
key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha512))
{
throw new PlatformNotSupportedException("ECDSA signing keys are not supported on this platform.");
}
#endif
throw new InvalidOperationException("A signature algorithm cannot be automatically inferred from the signing key. " +
"Consider using 'options.SigningCredentials.Add(SigningCredentials)' instead.");
}
/// <summary>
/// Adds a specific <see cref="SecurityKey"/> to sign the tokens issued by the OpenID Connect server.
/// </summary>
/// <param name="credentials">The options used to configure the OpenID Connect server.</param>
/// <param name="key">The key used to sign security tokens issued by the server.</param>
/// <returns>The signing credentials.</returns>
public static IList <SigningCredentials> AddKey(
[NotNull] this IList <SigningCredentials> credentials, [NotNull] SecurityKey key)
{
if (credentials == null)
{
throw new ArgumentNullException(nameof(credentials));
}
if (key == null)
{
throw new ArgumentNullException(nameof(key));
}
// If the signing key is an asymmetric security key, ensure it has a private key.
if (key is AsymmetricSecurityKey && !((AsymmetricSecurityKey)key).HasPrivateKey())
{
throw new InvalidOperationException("The asymmetric signing key doesn't contain the required private key.");
}
if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256Signature,
SecurityAlgorithms.Sha256Digest, key.GetKeyIdentifier()));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.HmacSha256Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.HmacSha256Signature,
SecurityAlgorithms.Sha256Digest, key.GetKeyIdentifier()));
return(credentials);
}
throw new InvalidOperationException("A signature algorithm cannot be automatically inferred from the signing key. " +
"Consider using 'options.SigningCredentials.Add(SigningCredentials)' instead.");
}
/// <summary>
/// Adds a specific <see cref="SecurityKey"/> to sign the tokens issued by the OpenID Connect server.
/// </summary>
/// <param name="credentials">The options used to configure the OpenID Connect server.</param>
/// <param name="key">The key used to sign security tokens issued by the server.</param>
/// <returns>The signing credentials.</returns>
public static IList <SigningCredentials> AddKey(
[NotNull] this IList <SigningCredentials> credentials, [NotNull] SecurityKey key)
{
if (credentials == null)
{
throw new ArgumentNullException(nameof(credentials));
}
if (key == null)
{
throw new ArgumentNullException(nameof(key));
}
// When no key identifier can be retrieved from the security key, a value is automatically
// inferred from the hexadecimal representation of the certificate thumbprint (SHA-1)
// when the key is bound to a X.509 certificate or from the public part of the signing key.
if (string.IsNullOrEmpty(key.KeyId))
{
key.KeyId = key.GetKeyIdentifier();
}
if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256Signature));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.HmacSha256Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.HmacSha256Signature));
return(credentials);
}
#if SUPPORTS_ECDSA
// Note: ECDSA algorithms are bound to specific curves and must be treated separately.
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha256Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256Signature));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha384Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha384Signature));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha512Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha512Signature));
return(credentials);
}
#endif
throw new InvalidOperationException("A signature algorithm cannot be automatically inferred from the signing key. " +
"Consider using 'options.SigningCredentials.Add(SigningCredentials)' instead.");
}
/// <summary>
/// Adds a specific <see cref="SecurityKey"/> to sign the tokens issued by the OpenID Connect server.
/// </summary>
/// <param name="credentials">The options used to configure the OpenID Connect server.</param>
/// <param name="key">The key used to sign security tokens issued by the server.</param>
/// <returns>The signing credentials.</returns>
public static IList <SigningCredentials> AddKey(
[NotNull] this IList <SigningCredentials> credentials, [NotNull] SecurityKey key)
{
if (credentials == null)
{
throw new ArgumentNullException(nameof(credentials));
}
if (key == null)
{
throw new ArgumentNullException(nameof(key));
}
if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256Signature,
SecurityAlgorithms.Sha256Digest, key.GetKeyIdentifier()));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.HmacSha256Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.HmacSha256Signature,
SecurityAlgorithms.Sha256Digest, key.GetKeyIdentifier()));
return(credentials);
}
throw new InvalidOperationException("A signature algorithm cannot be automatically inferred from the signing key. " +
"Consider using 'options.SigningCredentials.Add(SigningCredentials)' instead.");
}
