public void ShouldValidateJwe(string algorithm, KeyType keyType, string encryption) { var options = new JwksOptions() { KeyPrefix = $"{nameof(JsonWebKeySetServiceTests)}_", Jwe = JweAlgorithm.Create(algorithm, keyType).WithEncryption(encryption) }; var encryptingCredentials = _jwksService.GenerateEncryptingCredentials(options); var handler = new JsonWebTokenHandler(); var now = DateTime.Now; var jwt = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = new ClaimsIdentity(GenerateClaim().Generate(5)), EncryptingCredentials = encryptingCredentials }; var jwe = handler.CreateToken(jwt); var result = handler.ValidateToken(jwe, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", RequireSignedTokens = false, TokenDecryptionKey = encryptingCredentials.Key }); result.IsValid.Should().BeTrue(); }
public void ShouldRemovePrivateKeyFromJweAfterUpdateAExpiredJwk(string algorithm, KeyType keyType, string encryption) { var alg = JweAlgorithm.Create(algorithm, keyType).WithEncryption(encryption); var key = _keyService.GenerateSigningCredentials(new JwksOptions() { KeyPrefix = "ShouldGenerateManyRsa_", Jwe = alg }); var privateKey = new SecurityKeyWithPrivate(); privateKey.SetJweParameters(key.Key, alg); _jsonWebKeyStore.Save(privateKey); /*Remove private*/ _jsonWebKeyStore.Revoke(privateKey); var jsonWebKey = _keyService.GetLastKeysCredentials(JsonWebKeyType.Jwe, 5).First(w => w.Kid == privateKey.KeyId); jsonWebKey.Kty.Should().NotBeNullOrEmpty(); jsonWebKey.HasPrivateKey.Should().BeFalse(); switch (jsonWebKey.Kty) { case JsonWebAlgorithmsKeyTypes.EllipticCurve: jsonWebKey.D.Should().BeNullOrEmpty(); break; case JsonWebAlgorithmsKeyTypes.RSA: jsonWebKey.D.Should().BeNullOrEmpty(); jsonWebKey.DP.Should().BeNullOrEmpty(); jsonWebKey.DQ.Should().BeNullOrEmpty(); jsonWebKey.P.Should().BeNullOrEmpty(); jsonWebKey.Q.Should().BeNullOrEmpty(); jsonWebKey.QI.Should().BeNullOrEmpty(); break; case JsonWebAlgorithmsKeyTypes.Octet: jsonWebKey.K.Should().NotBeNullOrEmpty(); break; } }
public void ShouldSaveJweRecoverAndEncrypt(string algorithm, KeyType keyType, string encryption) { this.WarmupData.Clear(); var options = new JwksOptions() { Jwe = JweAlgorithm.Create(algorithm, keyType).WithEncryption(encryption) }; var handler = new JsonWebTokenHandler(); var now = DateTime.Now; // Generate right now and in memory var newKey = _keyService.GetCurrentEncryptingCredentials(options); // recovered from database var currentKey = _keyService.GetCurrentEncryptingCredentials(options); newKey.Key.KeyId.Should().Be(currentKey.Key.KeyId); var claims = new ClaimsIdentity(GenerateClaim().Generate(5)); var descriptor = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = claims, EncryptingCredentials = newKey }; var descriptorFromDb = new SecurityTokenDescriptor { Issuer = "me", Audience = "you", IssuedAt = now, NotBefore = now, Expires = now.AddMinutes(5), Subject = claims, EncryptingCredentials = currentKey }; var jwt1 = handler.CreateToken(descriptor); var jwt2 = handler.CreateToken(descriptorFromDb); var result = handler.ValidateToken(jwt1, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", RequireSignedTokens = false, TokenDecryptionKey = currentKey.Key }); result.IsValid.Should().BeTrue(); result = handler.ValidateToken(jwt2, new TokenValidationParameters { ValidIssuer = "me", ValidAudience = "you", RequireSignedTokens = false, TokenDecryptionKey = currentKey.Key }); result.IsValid.Should().BeTrue(); }