/// <summary>
/// Adds a specific <see cref="SecurityKey"/> to sign the tokens issued by the OpenID Connect server.
/// </summary>
/// <param name="credentials">The options used to configure the OpenID Connect server.</param>
/// <param name="key">The key used to sign security tokens issued by the server.</param>
/// <returns>The signing credentials.</returns>
public static IList <SigningCredentials> AddKey(
[NotNull] this IList <SigningCredentials> credentials, [NotNull] SecurityKey key)
{
if (credentials == null)
{
throw new ArgumentNullException(nameof(credentials));
}
if (key == null)
{
throw new ArgumentNullException(nameof(key));
}
// If the signing key is an asymmetric security key, ensure it has a private key.
if (key is AsymmetricSecurityKey asymmetricSecurityKey &&
asymmetricSecurityKey.PrivateKeyStatus == PrivateKeyStatus.DoesNotExist)
{
throw new InvalidOperationException("The asymmetric signing key doesn't contain the required private key.");
}
// When no key identifier can be retrieved from the security key, a value is automatically
// inferred from the hexadecimal representation of the certificate thumbprint (SHA-1)
// when the key is bound to a X.509 certificate or from the public part of the signing key.
if (string.IsNullOrEmpty(key.KeyId))
{
key.KeyId = key.GetKeyIdentifier();
}
if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.HmacSha256))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.HmacSha256));
return(credentials);
}
#if SUPPORTS_ECDSA
// Note: ECDSA algorithms are bound to specific curves and must be treated separately.
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha256))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha384))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha384));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha512))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha512));
return(credentials);
}
#else
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha256) ||
key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha384) ||
key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha512))
{
throw new PlatformNotSupportedException("ECDSA signing keys are not supported on this platform.");
}
#endif
throw new InvalidOperationException("A signature algorithm cannot be automatically inferred from the signing key. " +
"Consider using 'options.SigningCredentials.Add(SigningCredentials)' instead.");
}
/// <summary>
/// Adds a specific <see cref="SecurityKey"/> to decrypt
/// authorization requests received by the OpenID Connect server.
/// </summary>
/// <param name="credentials">The options used to configure the OpenID Connect server.</param>
/// <param name="key">The key used to sign security tokens issued by the server.</param>
/// <returns>The encryption credentials.</returns>
public static IList <EncryptingCredentials> AddKey(
[NotNull] this IList <EncryptingCredentials> credentials, [NotNull] SecurityKey key)
{
if (credentials == null)
{
throw new ArgumentNullException(nameof(credentials));
}
if (key == null)
{
throw new ArgumentNullException(nameof(key));
}
if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaOaepKeyWrap))
{
var x509SecurityKey = key as X509SecurityKey;
if (x509SecurityKey != null)
{
return(credentials.AddCertificate(x509SecurityKey.Certificate));
}
var x509AsymmetricSecurityKey = key as X509AsymmetricSecurityKey;
if (x509AsymmetricSecurityKey != null)
{
// The X.509 certificate is not directly accessible when using X509AsymmetricSecurityKey.
// Reflection is the only way to get the certificate used to create the security key.
var field = typeof(X509AsymmetricSecurityKey).GetField(
name: "certificate",
bindingAttr: BindingFlags.Instance | BindingFlags.NonPublic);
Debug.Assert(field != null);
return(credentials.AddCertificate((X509Certificate2)field.GetValue(x509AsymmetricSecurityKey)));
}
// Create an empty security key identifier.
var identifier = new SecurityKeyIdentifier();
var rsaSecurityKey = key as RsaSecurityKey;
if (rsaSecurityKey != null)
{
// When using a RSA key, the public part is used to uniquely identify the key.
var algorithm = (RSA)rsaSecurityKey.GetAsymmetricAlgorithm(
algorithm: SecurityAlgorithms.RsaOaepKeyWrap,
requiresPrivateKey: false);
Debug.Assert(algorithm != null);
// Export the RSA public key to extract a key identifier based on the modulus component.
var parameters = algorithm.ExportParameters(includePrivateParameters: false);
Debug.Assert(parameters.Modulus != null, "A null modulus was returned by RSA.ExportParameters()");
// Only use the 40 first chars of the base64url-encoded modulus.
var kid = Base64UrlEncoder.Encode(parameters.Modulus);
kid = kid.Substring(0, Math.Min(kid.Length, 40)).ToUpperInvariant();
identifier.Add(new LocalIdKeyIdentifierClause(kid));
identifier.Add(new RsaKeyIdentifierClause(algorithm));
}
credentials.Add(new EncryptingCredentials(key, identifier, SecurityAlgorithms.RsaOaepKeyWrap));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.Aes256Encryption))
{
// When using an in-memory symmetric key, no identifier clause can be inferred from the key itself.
// To prevent the built-in security token handlers from throwing an exception, a default identifier is added.
var identifier = new SecurityKeyIdentifier(new LocalIdKeyIdentifierClause("Default"));
credentials.Add(new EncryptingCredentials(key, identifier, SecurityAlgorithms.Aes256Encryption));
return(credentials);
}
throw new InvalidOperationException("A key wrap algorithm cannot be automatically inferred from the encryption key. " +
"Consider using 'options.EncryptingCredentials.Add(EncryptingCredentials)' instead.");
}
/// <summary>
/// Adds a specific <see cref="SecurityKey"/> to sign the tokens issued by the OpenID Connect server.
/// </summary>
/// <param name="credentials">The options used to configure the OpenID Connect server.</param>
/// <param name="key">The key used to sign security tokens issued by the server.</param>
/// <returns>The signing credentials.</returns>
public static IList <SigningCredentials> AddKey(
[NotNull] this IList <SigningCredentials> credentials, [NotNull] SecurityKey key)
{
if (credentials == null)
{
throw new ArgumentNullException(nameof(credentials));
}
if (key == null)
{
throw new ArgumentNullException(nameof(key));
}
// When no key identifier can be retrieved from the security key, a value is automatically
// inferred from the hexadecimal representation of the certificate thumbprint (SHA-1)
// when the key is bound to a X.509 certificate or from the public part of the signing key.
if (string.IsNullOrEmpty(key.KeyId))
{
key.KeyId = key.GetKeyIdentifier();
}
if (key.IsSupportedAlgorithm(SecurityAlgorithms.RsaSha256Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256Signature));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.HmacSha256Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.HmacSha256Signature));
return(credentials);
}
#if SUPPORTS_ECDSA
// Note: ECDSA algorithms are bound to specific curves and must be treated separately.
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha256Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256Signature));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha384Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha384Signature));
return(credentials);
}
else if (key.IsSupportedAlgorithm(SecurityAlgorithms.EcdsaSha512Signature))
{
credentials.Add(new SigningCredentials(key, SecurityAlgorithms.EcdsaSha512Signature));
return(credentials);
}
#endif
throw new InvalidOperationException("A signature algorithm cannot be automatically inferred from the signing key. " +
"Consider using 'options.SigningCredentials.Add(SigningCredentials)' instead.");
}
