private KeyWrapProvider CreateKeyWrapProvider(SecurityKey key, string algorithm, bool willUnwrap) { if (key == null) { throw LogHelper.LogArgumentNullException(nameof(key)); } if (string.IsNullOrEmpty(algorithm)) { throw LogHelper.LogArgumentNullException(nameof(algorithm)); } if (CustomCryptoProvider != null && CustomCryptoProvider.IsSupportedAlgorithm(algorithm, key, willUnwrap)) { KeyWrapProvider keyWrapProvider = CustomCryptoProvider.Create(algorithm, key, willUnwrap) as KeyWrapProvider; if (keyWrapProvider == null) { throw LogHelper.LogExceptionMessage(new InvalidOperationException(String.Format(CultureInfo.InvariantCulture, LogMessages.IDX10646, algorithm, key, typeof(SignatureProvider)))); } return(keyWrapProvider); } var rsaKey = key as RsaSecurityKey; if (rsaKey != null && IsRsaAlgorithmSupported(algorithm)) { return(new RsaKeyWrapProvider(key, algorithm, willUnwrap)); } var x509Key = key as X509SecurityKey; if (x509Key != null && IsRsaAlgorithmSupported(algorithm)) { return(new RsaKeyWrapProvider(x509Key, algorithm, willUnwrap)); } var jsonWebKey = key as JsonWebKey; if (jsonWebKey != null) { if (jsonWebKey.Kty == JsonWebAlgorithmsKeyTypes.RSA && IsRsaAlgorithmSupported(algorithm)) { return(new RsaKeyWrapProvider(jsonWebKey, algorithm, willUnwrap)); } else if (jsonWebKey.Kty == JsonWebAlgorithmsKeyTypes.Octet && IsSymmetricAlgorithmSupported(algorithm)) { return(new SymmetricKeyWrapProvider(jsonWebKey, algorithm)); } } var symmetricKey = key as SymmetricSecurityKey; if (symmetricKey != null && IsSymmetricAlgorithmSupported(algorithm)) { return(new SymmetricKeyWrapProvider(symmetricKey, algorithm)); } throw LogHelper.LogExceptionMessage(new ArgumentException(string.Format(CultureInfo.InvariantCulture, LogMessages.IDX10661, algorithm, key))); }
/// <summary> /// When finished with a <see cref="KeyWrapProvider"/> call this method for cleanup."/> /// </summary> /// <param name="provider"><see cref="KeyWrapProvider"/> to be released.</param> public virtual void ReleaseKeyWrapProvider(KeyWrapProvider provider) { if (provider != null) { provider.Dispose(); } }
internal static SecurityKey GetSecurityKey(EncryptingCredentials encryptingCredentials, CryptoProviderFactory cryptoProviderFactory, out byte[] wrappedKey) { SecurityKey securityKey = null; KeyWrapProvider kwProvider = null; wrappedKey = null; // if direct algorithm, look for support if (JwtConstants.DirectKeyUseAlg.Equals(encryptingCredentials.Alg)) { if (!cryptoProviderFactory.IsSupportedAlgorithm(encryptingCredentials.Enc, encryptingCredentials.Key)) { throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, LogHelper.MarkAsNonPII(encryptingCredentials.Enc), encryptingCredentials.Key))); } securityKey = encryptingCredentials.Key; } else { if (!cryptoProviderFactory.IsSupportedAlgorithm(encryptingCredentials.Alg, encryptingCredentials.Key)) { throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, LogHelper.MarkAsNonPII(encryptingCredentials.Alg), encryptingCredentials.Key))); } // only 128, 384 and 512 AesCbcHmac for CEK algorithm if (SecurityAlgorithms.Aes128CbcHmacSha256.Equals(encryptingCredentials.Enc)) { securityKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(256)); } else if (SecurityAlgorithms.Aes192CbcHmacSha384.Equals(encryptingCredentials.Enc)) { securityKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(384)); } else if (SecurityAlgorithms.Aes256CbcHmacSha512.Equals(encryptingCredentials.Enc)) { securityKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(512)); } else { throw LogHelper.LogExceptionMessage( new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10617, LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes128CbcHmacSha256), LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes192CbcHmacSha384), LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes256CbcHmacSha512), LogHelper.MarkAsNonPII(encryptingCredentials.Enc)))); } kwProvider = cryptoProviderFactory.CreateKeyWrapProvider(encryptingCredentials.Key, encryptingCredentials.Alg); wrappedKey = kwProvider.WrapKey(((SymmetricSecurityKey)securityKey).Key); } return(securityKey); }