/// <summary> /// Convert JsonWebKeySet to List<SecurityKey> /// </summary> /// <param name="jsonWebKeySet">IdentityModel.Jwk.JsonWebKeySet</param> /// <returns>SecurityKey list</returns> private static List <SecurityKey> getSecurityKeys(IdentityModel.Jwk.JsonWebKeySet jsonWebKeySet) { var keys = new List <SecurityKey>(); foreach (var key in jsonWebKeySet.Keys) { if (key.Kty == "RSA") { if (key.X5c != null && key.X5c.Count() > 0) { string certificateString = key.X5c[0]; var certificate = new X509Certificate2(Convert.FromBase64String(certificateString)); var x509SecurityKey = new X509SecurityKey(certificate) { KeyId = key.Kid }; keys.Add(x509SecurityKey); } else if (!string.IsNullOrWhiteSpace(key.E) && !string.IsNullOrWhiteSpace(key.N)) { byte[] exponent = fromBase64Url(key.E); byte[] modulus = fromBase64Url(key.N); var rsaParameters = new RSAParameters { Exponent = exponent, Modulus = modulus }; var rsaSecurityKey = new RsaSecurityKey(rsaParameters) { KeyId = key.Kid }; keys.Add(rsaSecurityKey); } else { throw new Exception("JWK data is missing in token validation"); } } else { throw new NotImplementedException("Only RSA key type is implemented for token validation"); } } return(keys); }
public static IdentityModel.Jwk.JsonWebKeySet CreateKeySet(RsaSecurityKey key) { var parameters = key.Rsa?.ExportParameters(false) ?? key.Parameters; var exponent = Base64Url.Encode(parameters.Exponent); var modulus = Base64Url.Encode(parameters.Modulus); var webKey = new IdentityModel.Jwk.JsonWebKey { Kty = "RSA", Use = "sig", Kid = key.KeyId, E = exponent, N = modulus, }; var set = new IdentityModel.Jwk.JsonWebKeySet(); set.Keys.Add(webKey); return(set); }
private ClaimsPrincipal ValidateSignature( string identityToken, JwtSecurityTokenHandler handler, TokenValidationParameters parameters, IdentityModel.Jwk.JsonWebKeySet keySet) { if (parameters.RequireSignedTokens) { // read keys from provider information var keys = new List <SecurityKey>(); foreach (var webKey in keySet.Keys) { if (webKey.E.IsPresent() && webKey.N.IsPresent()) { // only add keys used for signatures if (webKey.Use == "sig" || webKey.Use == null) { var e = Base64Url.Decode(webKey.E); var n = Base64Url.Decode(webKey.N); var key = new RsaSecurityKey(new RSAParameters { Exponent = e, Modulus = n }); key.KeyId = webKey.Kid; keys.Add(key); _logger.LogDebug("Added signing key with kid: {kid}", key?.KeyId ?? "not set"); } } else if (webKey.X.IsPresent() && webKey.Y.IsPresent() && webKey.Crv.IsPresent()) { var ec = ECDsa.Create(new ECParameters { Curve = GetCurveFromCrvValue(webKey.Crv), Q = new ECPoint { X = Base64Url.Decode(webKey.X), Y = Base64Url.Decode(webKey.Y) } }); var key = new ECDsaSecurityKey(ec); key.KeyId = webKey.Kid; keys.Add(key); } else { _logger.LogDebug("Signing key with kid: {kid} currently not supported", webKey.Kid ?? "not set"); } } parameters.IssuerSigningKeys = keys; } SecurityToken token; return(handler.ValidateToken(identityToken, parameters, out token)); }
public static List <SecurityKey> GetSigningKeys(this IdentityModel.Jwk.JsonWebKeySet jwks) { var securityKeyList = new List <SecurityKey>(); foreach (var key in jwks.Keys) { if (!StringComparer.Ordinal.Equals(key.Kty, "RSA") || (!string.IsNullOrWhiteSpace(key.Use) && !StringComparer.Ordinal.Equals(key.Use, "sig"))) { continue; } if (key.X5c != null) { foreach (var s in key.X5c) { try { SecurityKey securityKey = new X509SecurityKey(new X509Certificate2(Convert.FromBase64String(s))); securityKey.KeyId = key.Kid; securityKeyList.Add(securityKey); } catch (CryptographicException ex) { throw new InvalidOperationException($"Unable to create an X509Certificate2 from the X509Data: '{s}'. See inner exception for additional details.", ex); } catch (FormatException ex) { throw new InvalidOperationException($"Unable to create an X509Certificate2 from the X509Data: '{s}'. See inner exception for additional details.", ex); } } } if (string.IsNullOrWhiteSpace(key.E)) { continue; } { if (string.IsNullOrWhiteSpace(key.N)) { continue; } try { var rsaParameters = new RSAParameters { Exponent = Base64UrlEncoder.DecodeBytes(key.E), Modulus = Base64UrlEncoder.DecodeBytes(key.N) }; SecurityKey securityKey = new RsaSecurityKey(rsaParameters); securityKey.KeyId = key.Kid; securityKeyList.Add(securityKey); } catch (CryptographicException ex) { throw new InvalidOperationException($"Unable to create an RSA public key from the Exponent and Modulus found in the JsonWebKey: E: '{key.E}', N: '{key.N}'. See inner exception for additional details.", ex); } catch (FormatException ex) { throw new InvalidOperationException($"Unable to create an RSA public key from the Exponent and Modulus found in the JsonWebKey: E: '{key.E}', N: '{key.N}'. See inner exception for additional details.", ex); } } } return(securityKeyList); }