public byte[] Unwrap(byte[] encryptedCek, object key, int cekSizeBits, IDictionary <string, object> header)
{
var sharedPassphrase = Ensure.Type <string>(key, "Pbse2HmacShaKeyManagementWithAesKeyWrap management algorithm expectes key to be string.");
byte[] sharedKey = Encoding.UTF8.GetBytes(sharedPassphrase);
Ensure.Contains(header, new[] { "p2c" }, "Pbse2HmacShaKeyManagementWithAesKeyWrap algorithm expects 'p2c' param in JWT header, but was not found");
Ensure.Contains(header, new[] { "p2s" }, "Pbse2HmacShaKeyManagementWithAesKeyWrap algorithm expects 'p2s' param in JWT header, but was not found");
byte[] algId = Encoding.UTF8.GetBytes((string)header["alg"]);
int iterationCount = (int)header["p2c"];
byte[] saltInput = Compact.Base64UrlDecode((string)header["p2s"]);
byte[] salt = Arrays.Concat(algId, Arrays.Zero, saltInput);
byte[] kek;
using (var prf = PRF)
{
kek = PBKDF2.DeriveKey(sharedKey, salt, iterationCount, keyLengthBits, prf);
}
return(aesKW.Unwrap(encryptedCek, kek, cekSizeBits, header));
}
public byte[] Unwrap(byte[] encryptedCek, object key, int cekSizeBits, IDictionary <string, object> header)
{
byte[] sharedKey = Ensure.Type <byte[]>(key, "AesGcmKeyWrapManagement alg expectes key to be byte[] array.");
Ensure.BitSize(sharedKey, keyLengthBits, string.Format("AesGcmKeyWrapManagement management algorithm expected key of size {0} bits, but was given {1} bits", keyLengthBits, sharedKey.Length * 8));
Ensure.Contains(header, new[] { "iv" }, "AesGcmKeyWrapManagement algorithm expects 'iv' param in JWT header, but was not found");
Ensure.Contains(header, new[] { "tag" }, "AesGcmKeyWrapManagement algorithm expects 'tag' param in JWT header, but was not found");
byte[] iv = Compact.Base64UrlDecode((string)header["iv"]);
byte[] authTag = Compact.Base64UrlDecode((string)header["tag"]);
return(AesGcm.Decrypt(sharedKey, iv, null, encryptedCek, authTag));
}
public virtual byte[] Unwrap(byte[] encryptedCek, object key, int cekSizeBits, IDictionary <string, object> header)
{
var privateKey = Ensure.Type <CngKey>(key, "EcdhKeyManagement alg expects key to be of CngKey type.");
Ensure.Contains(header, new[] { "epk" }, "EcdhKeyManagement algorithm expects 'epk' key param in JWT header, but was not found");
Ensure.Contains(header, new[] { algIdHeader }, "EcdhKeyManagement algorithm expects 'enc' header to be present in JWT header, but was not found");
var epk = (IDictionary <string, object>)header["epk"];
Ensure.Contains(epk, new[] { "x", "y", "crv" }, "EcdhKeyManagement algorithm expects 'epk' key to contain 'x','y' and 'crv' fields.");
var x = Compact.Base64UrlDecode((string)epk["x"]);
var y = Compact.Base64UrlDecode((string)epk["y"]);
var externalPublicKey = EccKey.New(x, y, usage: CngKeyUsages.KeyAgreement);
return(DeriveKey(header, cekSizeBits, externalPublicKey, privateKey));
}
