public byte[] Decrypt(byte[] aad, byte[] cek, byte[] iv, byte[] cipherText, byte[] authTag)
{
Ensure.BitSize(cek, keyLength, string.Format("AES-GCM algorithm expected key of size {0} bits, but was given {1} bits", keyLength, cek.Length * 8L));
try
{
return(AesGcm.Decrypt(cek, iv, aad, cipherText, authTag));
}
catch (CryptographicException e)
{
throw new EncryptionException("Unable to decrypt content or authentication tag do not match.", e);
}
}
public byte[] Unwrap(byte[] encryptedCek, object key, int cekSizeBits, IDictionary <string, string> header)
{
byte[] sharedKey = Ensure.Type <byte[]>(key, "AesGcmKeyWrapManagement alg expectes key to be byte[] array.");
Ensure.BitSize(sharedKey, keyLengthBits, string.Format("AesGcmKeyWrapManagement management algorithm expected key of size {0} bits, but was given {1} bits", keyLengthBits, sharedKey.Length * 8L));
Ensure.Contains(header, new[] { "iv" }, "AesGcmKeyWrapManagement algorithm expects 'iv' param in JWT header, but was not found");
Ensure.Contains(header, new[] { "tag" }, "AesGcmKeyWrapManagement algorithm expects 'tag' param in JWT header, but was not found");
byte[] iv = Base64Url.Decode((string)header["iv"]);
byte[] authTag = Base64Url.Decode((string)header["tag"]);
return(AesGcm.Decrypt(sharedKey, iv, null, encryptedCek, authTag));
}