static bool KeysEqual(SecurityKey k1, SecurityKey k2)
{
return
(k1 != null && k2 != null &&
k1.GetType() == k2.GetType() &&
k1 is SymmetricSecurityKey k1s &&
k2 is SymmetricSecurityKey k2s &&
HelperTools.AreByteArraysEqual(k1s.Key, k2s.Key));
}
protected virtual KeyInfo CreateKeyInfo(SecurityKey key)
{
if (key is X509SecurityKey x509)
{
if (Options.UseSecurityTokenReference)
{
var publicKey = x509.Certificate.Export(X509ContentType.Cert);
using (var sha1 = SHA1.Create())
{
var hashed = sha1.ComputeHash(publicKey);
return(new SecurityTokenReferenceKeyInfo
{
KeyIdValueType = "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1",
KeyId = Convert.ToBase64String(hashed)
});
}
}
return(new KeyInfo
{
X509Data =
{
new X509Data(x509.Certificate)
}
});
}
else if (key is RsaSecurityKey rsa)
{
var id = Options.GenerateId(rsa);
return(new KeyInfo {
KeyName = id
});
}
throw new NotSupportedException($"Key type '{key.GetType().Name}' not supported.");
}
private static bool AreSecurityKeysEqual(SecurityKey securityKey1, SecurityKey securityKey2, CompareContext context)
{
if (context.IgnoreType && (securityKey1.GetType() != securityKey2.GetType()))
{
return(false);
}
// Check X509SecurityKey first so we don't have to use reflection to get cert.
X509SecurityKey x509Key1 = securityKey1 as X509SecurityKey;
if (x509Key1 != null)
{
X509SecurityKey x509Key2 = securityKey2 as X509SecurityKey;
if (x509Key1.Certificate.Thumbprint == x509Key2.Certificate.Thumbprint)
{
return(true);
}
return(false);
}
X509AsymmetricSecurityKey x509AsymmKey1 = securityKey1 as X509AsymmetricSecurityKey;
if (x509AsymmKey1 != null)
{
X509AsymmetricSecurityKey x509AsymmKey2 = securityKey2 as X509AsymmetricSecurityKey;
X509Certificate2 x509Cert1 = TestUtilities.GetField(x509AsymmKey1, "certificate") as X509Certificate2;
X509Certificate2 x509Cert2 = TestUtilities.GetField(x509AsymmKey2, "certificate") as X509Certificate2;
if (x509Cert1 == null && x509Cert2 == null)
{
return(true);
}
if (x509Cert1 == null || x509Cert2 == null)
{
return(false);
}
if (x509Cert1.Thumbprint != x509Cert2.Thumbprint)
{
return(false);
}
}
SymmetricSecurityKey symKey1 = securityKey1 as SymmetricSecurityKey;
if (symKey1 != null)
{
SymmetricSecurityKey symKey2 = securityKey2 as SymmetricSecurityKey;
if (!AreBytesEqual(symKey1.GetSymmetricKey(), symKey2.GetSymmetricKey()))
{
return(false);
}
}
RsaSecurityKey rsaKey = securityKey1 as RsaSecurityKey;
if (rsaKey != null)
{
RSA rsa1 = (rsaKey.GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha256Signature, false)) as RSA;
RSA rsa2 = ((securityKey2 as RsaSecurityKey).GetAsymmetricAlgorithm(SecurityAlgorithms.RsaSha256Signature, false)) as RSA;
if (!string.Equals(rsa1.ToXmlString(false), rsa2.ToXmlString(false), StringComparison.Ordinal))
{
return(false);
}
}
return(true);
}
/// <summary>
/// Initializes a new instance of the <see cref="KeyVaultKeyWrapProvider"/> class.
/// </summary>
/// <param name="key">The <see cref="SecurityKey"/> that will be used for key wrap operations.</param>
/// <param name="algorithm">The key wrap algorithm to apply.</param>
/// <param name="client">A mock <see cref="IKeyVaultClient"/> used for testing purposes.</param>
internal KeyVaultKeyWrapProvider(SecurityKey key, string algorithm, IKeyVaultClient client)
{
_algorithm = string.IsNullOrEmpty(algorithm) ? throw LogHelper.LogArgumentNullException(nameof(algorithm)) : algorithm;
if (key == null)
{
throw LogHelper.LogArgumentNullException(nameof(key));
}
_key = key as KeyVaultSecurityKey ?? throw LogHelper.LogExceptionMessage(new NotSupportedException(key.GetType().ToString()));
_client = client ?? new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(_key.Callback));
}
/// <summary>
/// Returns the <see cref="SymmetricAlgorithm"/>.
/// </summary>
/// <returns></returns>
/// <exception cref="ArgumentException">The <see cref="SecurityKey"/> cannot be converted to byte array</exception>
/// <exception cref="ArgumentOutOfRangeException">The keysize doesn't match the algorithm.</exception>
/// <exception cref="InvalidOperationException">Failed to create symmetric algorithm with provided key and algorithm.</exception>
protected virtual SymmetricAlgorithm GetSymmetricAlgorithm(SecurityKey key, string algorithm)
{
byte[] keyBytes = null;
SymmetricSecurityKey symmetricSecurityKey = key as SymmetricSecurityKey;
if (symmetricSecurityKey != null)
{
keyBytes = symmetricSecurityKey.Key;
}
else
{
JsonWebKey jsonWebKey = key as JsonWebKey;
if (jsonWebKey != null && jsonWebKey.K != null && jsonWebKey.Kty == JsonWebAlgorithmsKeyTypes.Octet)
{
keyBytes = Base64UrlEncoder.DecodeBytes(jsonWebKey.K);
}
}
if (keyBytes == null)
{
throw LogHelper.LogExceptionMessage(new ArgumentException(string.Format(CultureInfo.InvariantCulture, LogMessages.IDX10657, key.GetType())));
}
ValidateKeySize(keyBytes, algorithm);
try
{
// Create the AES provider
SymmetricAlgorithm symmetricAlgorithm = Aes.Create();
symmetricAlgorithm.Mode = CipherMode.ECB;
symmetricAlgorithm.Padding = PaddingMode.None;
symmetricAlgorithm.KeySize = keyBytes.Length * 8;
symmetricAlgorithm.Key = keyBytes;
// Set the AES IV to Zeroes
var aesIv = new byte[symmetricAlgorithm.BlockSize >> 3];
Utility.Zero(aesIv);
symmetricAlgorithm.IV = aesIv;
return(symmetricAlgorithm);
}
catch (Exception ex)
{
throw LogHelper.LogExceptionMessage(new InvalidOperationException(string.Format(CultureInfo.InvariantCulture, LogMessages.IDX10663, key, algorithm), ex));
}
}
/// <summary>
/// Gets the X509 certificate.
/// </summary>
/// <param name="key">The key.</param>
/// <param name="store">The store.</param>
/// <returns></returns>
/// <exception cref="System.InvalidOperationException">Cannot use signing credential with key of type '{key.GetType().Name}'</exception>
/// <exception cref="InvalidOperationException">Cannot use signing credential with key of type '{key.GetType().Name}'</exception>
public static X509Certificate2 GetX509Certificate(this SecurityKey key, ISigningCredentialStore store)
{
if (key is RsaSecurityKey rsaKey)
{
var rsa = rsaKey.Rsa ?? RSA.Create(rsaKey.Parameters);
var certRequest = new CertificateRequest("cn=theidserver", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
if (store is IKeyRingStores keyRingStore)
{
var defaultKey = keyRingStore.DefaultKey;
return(certRequest.CreateSelfSigned(defaultKey.ActivationDate, defaultKey.ExpirationDate));
}
return(certRequest.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(1)));
}
else if (key is X509SecurityKey x509)
{
return(x509.Certificate);
}
else
{
throw new InvalidOperationException($"Cannot use signing credential with key of type '{key.GetType().Name}'");
}
}
internal static string GetHeaderCacheKey(SecurityKey securityKey, string algorithm)
{
return(string.Format(CultureInfo.InvariantCulture, "{0}-{1}-{2}", securityKey.GetType(), securityKey.KeyId, algorithm));
}
internal static string GetHeaderCacheKey(SecurityKey securityKey, string algorithm)
{
return($"{securityKey.GetType()}-{securityKey.KeyId}-{algorithm}");
}
private static SignatureProvider CreateProvider(SecurityKey key, string algorithm, bool willCreateSignatures)
{
if (key == null)
{
throw new ArgumentNullException("key");
}
if (algorithm == null)
{
throw new ArgumentNullException("algorithm");
}
if (string.IsNullOrWhiteSpace(algorithm))
{
throw new ArgumentException(string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10002, "algorithm "));
}
AsymmetricSecurityKey asymmetricKey = key as AsymmetricSecurityKey;
if (asymmetricKey != null)
{
if (willCreateSignatures)
{
if (asymmetricKey.KeySize < MinimumAsymmetricKeySizeInBitsForSigning)
{
throw new ArgumentOutOfRangeException("key.KeySize", asymmetricKey.KeySize, string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10630, key.GetType(), MinimumAsymmetricKeySizeInBitsForSigning));
}
}
if (asymmetricKey.KeySize < MinimumAsymmetricKeySizeInBitsForVerifying)
{
throw new ArgumentOutOfRangeException("key.KeySize", asymmetricKey.KeySize, string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10631, key.GetType(), MinimumAsymmetricKeySizeInBitsForVerifying));
}
return(new AsymmetricSignatureProvider(asymmetricKey, algorithm, willCreateSignatures));
}
SymmetricSecurityKey symmetricKey = key as SymmetricSecurityKey;
if (symmetricKey != null)
{
if (symmetricKey.KeySize < MinimumSymmetricKeySizeInBits)
{
throw new ArgumentOutOfRangeException("key.KeySize", key.KeySize, string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10603, key.GetType(), MinimumSymmetricKeySizeInBits));
}
return(new SymmetricSignatureProvider(symmetricKey, algorithm));
}
throw new ArgumentException(string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10600, typeof(SignatureProvider).ToString(), typeof(SecurityKey), typeof(AsymmetricSecurityKey), typeof(SymmetricSecurityKey), key.GetType()));
}
