public void Build_BinaryJwt()
{
var builder = new JwtDescriptorBuilder();
builder
.EncryptWith(SymmetricJwk.GenerateKey(128), EncryptionAlgorithm.Aes128CbcHmacSha256, KeyManagementAlgorithm.Direct)
.BinaryPayload(new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 });
var descriptor = builder.Build();
Assert.IsType <BinaryJweDescriptor>(descriptor);
var binary = (BinaryJweDescriptor)descriptor;
Assert.Equal(new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }, binary.Payload);
Assert.Equal(KeyManagementAlgorithm.Direct, binary.Algorithm);
Assert.Equal(EncryptionAlgorithm.Aes128CbcHmacSha256, binary.EncryptionAlgorithm);
}
public void EncryptFast_Decrypt()
{
var data = Encoding.UTF8.GetBytes("This is a test string for encryption.");
var ciphertext = new Span <byte>(new byte[data.Length]);
var authenticationTag = new Span <byte>(new byte[16]);
var plaintext = new Span <byte>(new byte[data.Length]);
var key = SymmetricJwk.GenerateKey(EncryptionAlgorithm.A128Gcm);
var nonce = new byte[] { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
var encryptor = new AesGcmEncryptor(EncryptionAlgorithm.A128Gcm);
encryptor.Encrypt(key.AsSpan(), data, nonce, nonce, ciphertext, authenticationTag, out int tagSize);
var decryptor = new AesGcmDecryptor(EncryptionAlgorithm.A128Gcm);
bool decrypted = decryptor.TryDecrypt(key.K, ciphertext, nonce, nonce, authenticationTag.Slice(0, tagSize), plaintext, out int bytesWritten);
Assert.True(decrypted);
Assert.Equal(16, tagSize);
Assert.Equal(plaintext.Length, bytesWritten);
}
public void Build_TextJwt()
{
var builder = new JwtDescriptorBuilder();
builder
.PlaintextPayload("Live long and prosper.")
.EncryptWith(SymmetricJwk.GenerateKey(128), EncryptionAlgorithm.Aes128CbcHmacSha256, KeyManagementAlgorithm.Direct);
var descriptor = builder.Build();
Assert.IsType <PlaintextJweDescriptor>(descriptor);
var plaintext = (PlaintextJweDescriptor)descriptor;
Assert.Equal("Live long and prosper.", plaintext.Payload);
Assert.Equal(KeyManagementAlgorithm.Direct, plaintext.Algorithm);
Assert.Equal(EncryptionAlgorithm.Aes128CbcHmacSha256, plaintext.EncryptionAlgorithm);
}
public void Contains()
{
var key128 = SymmetricJwk.GenerateKey(128);
var key192 = SymmetricJwk.GenerateKey(192);
var key256 = SymmetricJwk.GenerateKey(256);
var key512 = SymmetricJwk.GenerateKey(512);
var jwks = new Jwks("issuer1")
{
key128,
key192,
key256
};
Assert.Contains(key128, jwks);
Assert.Contains(key192, jwks);
Assert.Contains(key256, jwks);
Assert.DoesNotContain(key512, jwks);
Assert.DoesNotContain(null, jwks);
}
public void JwsDescriptor_Ctor()
{
SymmetricJwk signingKey = SymmetricJwk.GenerateKey(SignatureAlgorithm.HS256);
Assert.Throws <ArgumentNullException>(() => new JwsDescriptor(null, SignatureAlgorithm.HS256));
Assert.Throws <ArgumentNullException>(() => new JwsDescriptor(signingKey, null));
var descriptor = new JwsDescriptor(signingKey, SignatureAlgorithm.HS256, "typ_value", "cty_value");
Assert.Equal(signingKey, descriptor.SigningKey);
Assert.Equal(SignatureAlgorithm.HS256, descriptor.Alg);
Assert.True(descriptor.Header.TryGetValue("typ", out var typ));
Assert.Equal("typ_value", (string)typ.Value);
Assert.True(descriptor.Header.TryGetValue("cty", out var cty));
Assert.Equal("cty_value", (string)cty.Value);
var defaultDescriptor = new JwsDescriptor(signingKey, SignatureAlgorithm.HS256);
Assert.False(defaultDescriptor.Header.TryGetValue("typ", out _));
Assert.False(defaultDescriptor.Header.TryGetValue("cty", out _));
}
public void Equal()
{
var key = SymmetricJwk.GenerateKey(128);
Assert.True(key.Equals(key));
Assert.Equal(key, key);
var copiedKey = Jwk.FromJson(key.ToString());
Assert.Equal(key, copiedKey);
// 'kid' is not a discriminant, excepted if the value is different.
copiedKey.Kid = default;
Assert.Equal(key, copiedKey);
Assert.Equal(copiedKey, key);
key.Kid = default;
Assert.Equal(key, copiedKey);
key.Kid = JsonEncodedText.Encode("X");
copiedKey.Kid = JsonEncodedText.Encode("Y");
Assert.NotEqual(key, copiedKey);
Assert.NotEqual(key, Jwk.None);
}
public void Remove()
{
var key128 = SymmetricJwk.GenerateKey(128);
var key192 = SymmetricJwk.GenerateKey(192);
var key256 = SymmetricJwk.GenerateKey(256);
var key512 = SymmetricJwk.GenerateKey(512);
var jwks = new Jwks("issuer1")
{
key128,
key192,
key256
};
Assert.Equal(3, jwks.Count);
jwks.Remove(key192);
Assert.Equal(2, jwks.Count);
jwks.Remove(key512);
Assert.Equal(2, jwks.Count);
Assert.Throws <ArgumentNullException>(() => jwks.Remove(null));
}
private static JweWrapper CreateDescriptor(KeyManagementAlgorithm algorithm, EncryptionAlgorithm encryptionAlgorithm)
{
var jwk = algorithm.Category switch
{
Cryptography.AlgorithmCategory.None => Jwk.None,
Cryptography.AlgorithmCategory.EllipticCurve => ECJwk.GeneratePrivateKey(EllipticalCurve.P256, algorithm),
Cryptography.AlgorithmCategory.Rsa => RsaJwk.GeneratePrivateKey(4096, algorithm),
Cryptography.AlgorithmCategory.Aes => SymmetricJwk.GenerateKey(algorithm),
Cryptography.AlgorithmCategory.AesGcm => SymmetricJwk.GenerateKey(algorithm),
Cryptography.AlgorithmCategory.Hmac => SymmetricJwk.GenerateKey(algorithm),
Cryptography.AlgorithmCategory.Direct => SymmetricJwk.GenerateKey(encryptionAlgorithm),
Cryptography.AlgorithmCategory.Direct | Cryptography.AlgorithmCategory.EllipticCurve => ECJwk.GeneratePrivateKey(EllipticalCurve.P256),
_ => throw new InvalidOperationException(algorithm.Category.ToString())
};
var descriptor = new JweDescriptor(jwk, algorithm, encryptionAlgorithm)
{
Payload = new JwsDescriptor(Jwk.None, SignatureAlgorithm.None)
{
Payload = new JwtPayload
{
{ JwtClaimNames.Iat, EpochTime.UtcNow },
{ JwtClaimNames.Exp, EpochTime.UtcNow + EpochTime.OneHour },
{ JwtClaimNames.Iss, "https://idp.example.com/" },
{ JwtClaimNames.Aud, "636C69656E745F6964" }
}
}
};
var policy = new TokenValidationPolicyBuilder()
.AcceptUnsecureToken("https://idp.example.com/")
.WithDecryptionKey(jwk)
.Build();
var writer = new JwtWriter();
return(new JweWrapper(writer.WriteToken(descriptor), algorithm, encryptionAlgorithm, policy));
}
}
public void Build_Jwe()
{
var builder = new JwtDescriptorBuilder();
var now = EpochTime.ToDateTime(EpochTime.UtcNow);
builder
.SignWith(RsaJwk.GenerateKey(2048, true, SignatureAlgorithm.RsaSsaPssSha256))
.EncryptWith(SymmetricJwk.GenerateKey(128), EncryptionAlgorithm.Aes128CbcHmacSha256, KeyManagementAlgorithm.Direct)
.IssuedBy("https://issuer.example.com")
.ExpiresAt(now);
var descriptor = builder.Build();
Assert.IsType <JweDescriptor>(descriptor);
var jwe = (JweDescriptor)descriptor;
Assert.Equal("https://issuer.example.com", jwe.Payload.Issuer);
Assert.Equal(now, jwe.Payload.ExpirationTime);
Assert.Equal(SignatureAlgorithm.RsaSsaPssSha256, jwe.Payload.Algorithm);
Assert.Equal(KeyManagementAlgorithm.Direct, jwe.Algorithm);
Assert.Equal(EncryptionAlgorithm.Aes128CbcHmacSha256, jwe.EncryptionAlgorithm);
}
static void Main()
{
// Generates the symmetric key for AES encryption with the algorithm 'A256GCMKW'
var sharedEncryptionKey = SymmetricJwk.GenerateKey(KeyManagementAlgorithm.A256GcmKW);
// Creates the symmetric key defined for the 'HS256' signature algorithm
var signatureKey = SymmetricJwk.GenerateKey(SignatureAlgorithm.HS256);
// Creates the JWE descriptor
// The descriptor sets the 'alg' with value 'A256GCMKW' and 'enc' with value 'A128CBC-HS256'
var descriptor = new JweDescriptor(sharedEncryptionKey, KeyManagementAlgorithm.A256GcmKW, EncryptionAlgorithm.A256CbcHS512)
{
// Creates the JWS payload
Payload = new JwsDescriptor(signatureKey, SignatureAlgorithm.HS256)
{
Payload = new JwtPayload
{
// Defines the JWS claims
{ JwtClaimNames.Iat, EpochTime.UtcNow },
{ JwtClaimNames.Exp, EpochTime.UtcNow + EpochTime.OneHour },
{ JwtClaimNames.Iss, "https://idp.example.com/" },
{ JwtClaimNames.Aud, "636C69656E745F6964" }
}
}
};
// Generates the UTF-8 string representation of the JWT
var writer = new JwtWriter();
var token = writer.WriteTokenString(descriptor);
Console.WriteLine("The JWT is:");
Console.WriteLine(descriptor);
Console.WriteLine();
Console.WriteLine("Its compact form is:");
Console.WriteLine(token);
}
private static SymmetricJwk CreateSigningKey()
{
return(SymmetricJwk.GenerateKey(SignatureAlgorithm.HS256));
}
internal static SymmetricJwk CreateSymmetricKey(EncryptionAlgorithm encryptionAlgorithm, SymmetricJwk?staticKey) => staticKey ?? SymmetricJwk.GenerateKey(encryptionAlgorithm.RequiredKeySizeInBits, computeThumbprint: false);
public void BuildPolicy()
{
const int ValidateSignature = 0x01;
const int ValidateAudience = 0x02;
var registry = new AuditTrailHubRegistry();
var reg1 = new AuditTrailHubRegistration("client1", SignatureAlgorithm.HS256, SymmetricJwk.GenerateKey(128));
registry.Add(reg1);
var policy = registry.BuildPolicy("uruk.example.com");
Assert.Equal(ValidateSignature | ValidateAudience, policy.Control);
Assert.Single(policy.RequiredAudiences, "uruk.example.com");
var reg2 = new AuditTrailHubRegistration("client2", SignatureAlgorithm.RS256, "https://demo.identityserver.io/.well-known/openid-configuration/jwks");
registry.Add(reg2);
policy = registry.BuildPolicy("uruk.example.com");
Assert.Equal(ValidateSignature | ValidateAudience, policy.Control);
Assert.Single(policy.RequiredAudiences, "uruk.example.com");
}
public void TryWrapKey_WithStaticKey_Throws(EncryptionAlgorithm enc, KeyManagementAlgorithm alg)
{
var contentEncryptionKey = SymmetricJwk.GenerateKey(enc.RequiredKeySizeInBits);
Assert.Throws <ArgumentException>(() => TryWrapKey_Success(contentEncryptionKey, enc, alg));
}
private static SymmetricJwk CreateEncryptionKey()
{
return(SymmetricJwk.GenerateKey(KeyManagementAlgorithm.A128KW));
}
public void Ctor_ThrowException()
{
Assert.Throws <ArgumentNullException>(() => new AuditTrailHubRegistration(null !, SignatureAlgorithm.HS256, SymmetricJwk.GenerateKey(128)));
Assert.Throws <ArgumentNullException>(() => new AuditTrailHubRegistration("client1", null !, SymmetricJwk.GenerateKey(128)));
Assert.Throws <ArgumentNullException>(() => new AuditTrailHubRegistration("client1", SignatureAlgorithm.HS256, (Jwk)null !));
Assert.Throws <ArgumentNullException>(() => new AuditTrailHubRegistration(null !, SignatureAlgorithm.HS256, "https://demo.identityserver.io/.well-known/openid-configuration/jwks"));
Assert.Throws <ArgumentNullException>(() => new AuditTrailHubRegistration("client1", null !, "https://demo.identityserver.io/.well-known/openid-configuration/jwks"));
Assert.Throws <ArgumentNullException>(() => new AuditTrailHubRegistration("client1", SignatureAlgorithm.HS256, (string)null !));
}
public void TryWrapKey_WithStaticKey_Success(EncryptionAlgorithm enc, KeyManagementAlgorithm alg)
{
var contentEncryptionKey = SymmetricJwk.GenerateKey(enc.RequiredKeySizeInBits);
Jwk cek = TryWrapKey_Success(contentEncryptionKey, enc, alg);
Assert.Equal(contentEncryptionKey, cek);
}
public void Descriptor_AllKindOfObject()
{
var descriptor = new JweDescriptor(SymmetricJwk.GenerateKey(256), KeyManagementAlgorithm.Dir, EncryptionAlgorithm.A128CbcHS256, CompressionAlgorithm.Def)
{
Payload = new JwsDescriptor(SymmetricJwk.GenerateKey(SignatureAlgorithm.HS256), SignatureAlgorithm.HS256)
{
Header = new JwtHeader
{
{ "H1", "value1" },
{ "H2", new Dictionary <string, object> {
{ "prop1", "value2" }
} },
{ "H3", 123L },
{ "H4", new Fake {
Inner = new Fake {
Value = "Inner1", Inner = new Fake {
Value = "Inner2"
}
}, Value = "Inner0"
} },
{ "H5", new [] { "a", "b", "c" } },
{ "H6", new [] { new object(), new object(), "abc", 123 } },
{ "H7", true },
{ "H8", false },
},
Payload = new JwtPayload
{
{ "P1", "value1" },
{ "P2", new Dictionary <string, object> {
{ "prop1", "value2" }
} },
{ "P3", 123L },
{ "P4", new Fake {
Inner = new Fake {
Value = "Inner1", Inner = new Fake {
Value = "Inner2"
}
}, Value = "Inner0"
} },
{ "P5", new [] { "a", "b", "c" } },
{ "P6", new [] { new object(), new object(), "abc", 123 } },
{ "P7", true },
{ "P8", false },
}
}
};
Assert.True(descriptor.Payload.TryGetClaim("P1", out var claim));
Assert.Equal(JwtValueKind.String, claim.Type);
Assert.True(descriptor.Payload.TryGetClaim("P2", out claim));
Assert.Equal(JwtValueKind.Object, claim.Type);
Assert.True(descriptor.Payload.TryGetClaim("P3", out claim));
Assert.Equal(JwtValueKind.Int64, claim.Type);
Assert.True(descriptor.Payload.TryGetClaim("P4", out claim));
Assert.Equal(JwtValueKind.Object, claim.Type);
Assert.True(descriptor.Payload.TryGetClaim("P5", out claim));
Assert.Equal(JwtValueKind.Array, claim.Type);
Assert.True(descriptor.Payload.TryGetClaim("P6", out claim));
Assert.Equal(JwtValueKind.Array, claim.Type);
Assert.True(descriptor.Payload.TryGetClaim("P7", out claim));
Assert.Equal(JwtValueKind.True, claim.Type);
Assert.True(descriptor.Payload.TryGetClaim("P8", out claim));
Assert.Equal(JwtValueKind.False, claim.Type);
Assert.True(descriptor.Payload.Header.TryGetValue("alg", out var jwsHeaderParameter));
Assert.Equal(JwtValueKind.JsonEncodedString, jwsHeaderParameter.Type);
Assert.True(descriptor.Payload.Header.TryGetValue("kid", out jwsHeaderParameter));
Assert.Equal(JwtValueKind.JsonEncodedString, jwsHeaderParameter.Type);
Assert.True(descriptor.Payload.Header.TryGetValue("H1", out jwsHeaderParameter));
Assert.Equal(JwtValueKind.String, jwsHeaderParameter.Type);
Assert.True(descriptor.Payload.Header.TryGetValue("H2", out jwsHeaderParameter));
Assert.Equal(JwtValueKind.Object, jwsHeaderParameter.Type);
Assert.True(descriptor.Payload.Header.TryGetValue("H3", out jwsHeaderParameter));
Assert.Equal(JwtValueKind.Int64, jwsHeaderParameter.Type);
Assert.True(descriptor.Payload.Header.TryGetValue("H4", out jwsHeaderParameter));
Assert.Equal(JwtValueKind.Object, jwsHeaderParameter.Type);
Assert.True(descriptor.Payload.Header.TryGetValue("H5", out jwsHeaderParameter));
Assert.Equal(JwtValueKind.Array, jwsHeaderParameter.Type);
Assert.True(descriptor.Payload.Header.TryGetValue("H6", out jwsHeaderParameter));
Assert.Equal(JwtValueKind.Array, jwsHeaderParameter.Type);
Assert.True(descriptor.Payload.Header.TryGetValue("H7", out jwsHeaderParameter));
Assert.Equal(JwtValueKind.True, jwsHeaderParameter.Type);
Assert.True(descriptor.Payload.Header.TryGetValue("H8", out jwsHeaderParameter));
Assert.Equal(JwtValueKind.False, jwsHeaderParameter.Type);
Assert.True(descriptor.Header.TryGetValue("kid", out var jweHeaderParameter));
Assert.True(descriptor.Header.TryGetValue("alg", out jweHeaderParameter));
Assert.Equal(KeyManagementAlgorithm.Dir.Name, ((JsonEncodedText)jweHeaderParameter.Value));
Assert.True(descriptor.Header.TryGetValue("enc", out jweHeaderParameter));
Assert.Equal(EncryptionAlgorithm.A128CbcHS256.Name, ((JsonEncodedText)jweHeaderParameter.Value));
Assert.True(descriptor.Header.TryGetValue("zip", out jweHeaderParameter));
Assert.Equal(CompressionAlgorithm.Def.Name, (JsonEncodedText)jweHeaderParameter.Value);
PooledByteBufferWriter writer = new PooledByteBufferWriter();
var context = new EncodingContext(writer, null, 0, false);
descriptor.Encode(context);
}
public void BuilderFails()
{
var builder = new TokenValidationPolicyBuilder();
Assert.Throws <ArgumentNullException>(() => builder.AddValidator(null));
Assert.Throws <ArgumentOutOfRangeException>(() => builder.MaximumTokenSizeInBytes(-1));
Assert.Throws <InvalidOperationException>(() => builder.RequireMetadataConfiguration("jwks_uri", SignatureAlgorithm.HS256));
Assert.Throws <ArgumentNullException>(() => builder.RequireSignature("issuer", (Jwk)null, SignatureAlgorithm.HS256));
Assert.Throws <InvalidOperationException>(() => builder.RequireSignature("issuer", SymmetricJwk.GenerateKey(128), (SignatureAlgorithm)null));
Assert.Throws <ArgumentNullException>(() => builder.RequireSignature("issuer", (Jwks)null, SignatureAlgorithm.HS256));
Assert.Throws <ArgumentException>(() => builder.RequireSignature("issuer", new StaticKeyProvider(new Jwks(SymmetricJwk.GenerateKey(128))), SignatureAlgorithm.None));
Assert.Throws <ArgumentNullException>(() => builder.RequireSignature("issuer", new StaticKeyProvider(new Jwks(SymmetricJwk.GenerateKey(128))), (SignatureAlgorithm)null));
Assert.Throws <ArgumentNullException>(() => builder.RequireSignature("issuer", (StaticKeyProvider)null, SignatureAlgorithm.HS256));
Assert.Throws <ArgumentNullException>(() => builder.RequireSignature(null, new StaticKeyProvider(new Jwks(SymmetricJwk.GenerateKey(128))), SignatureAlgorithm.HS256));
Assert.Throws <ArgumentNullException>(() => builder.IgnoreSignature(null));
Assert.Throws <ArgumentNullException>(() => builder.AcceptUnsecureToken(null));
Assert.Throws <ArgumentNullException>(() => builder.RequireSignatureByDefault((IKeyProvider)null));
Assert.Throws <ArgumentNullException>(() => builder.RequireSignatureByDefault((Jwk)null));
Assert.Throws <InvalidOperationException>(() => builder.RequireSignatureByDefault(SymmetricJwk.GenerateKey(128)));
Assert.Throws <ArgumentNullException>(() => builder.RequireSignatureByDefault(SymmetricJwk.GenerateKey(128), (string)null));
Assert.Throws <NotSupportedException>(() => builder.RequireSignatureByDefault(SymmetricJwk.GenerateKey(128), ""));
Assert.Throws <NotSupportedException>(() => builder.RequireSignatureByDefault((Jwk)null, ""));
Assert.Throws <ArgumentNullException>(() => builder.RequireSignatureByDefault((IList <Jwk>)null));
Assert.Throws <ArgumentOutOfRangeException>(() => builder.EnableLifetimeValidation(clockSkew: -1));
Assert.Throws <ArgumentNullException>(() => builder.RequireAudience((string)null));
Assert.Throws <ArgumentNullException>(() => builder.RequireAudience((IEnumerable <string>)null));
Assert.Throws <ArgumentNullException>(() => builder.DefaultIssuer(null));
Assert.Throws <ArgumentNullException>(() => builder.EnableTokenReplayValidation(null));
Assert.Throws <ArgumentNullException>(() => builder.RequireAlgorithm(null));
Assert.Throws <ArgumentNullException>(() => builder.WithDecryptionKeys((ICollection <IKeyProvider>)null));
}
