internal static SecurityKey GetSecurityKey(EncryptingCredentials encryptingCredentials, CryptoProviderFactory cryptoProviderFactory, out byte[] wrappedKey)
{
SecurityKey securityKey = null;
KeyWrapProvider kwProvider = null;
wrappedKey = null;
// if direct algorithm, look for support
if (JwtConstants.DirectKeyUseAlg.Equals(encryptingCredentials.Alg))
{
if (!cryptoProviderFactory.IsSupportedAlgorithm(encryptingCredentials.Enc, encryptingCredentials.Key))
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, LogHelper.MarkAsNonPII(encryptingCredentials.Enc), encryptingCredentials.Key)));
}
securityKey = encryptingCredentials.Key;
}
else
{
if (!cryptoProviderFactory.IsSupportedAlgorithm(encryptingCredentials.Alg, encryptingCredentials.Key))
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, LogHelper.MarkAsNonPII(encryptingCredentials.Alg), encryptingCredentials.Key)));
}
// only 128, 384 and 512 AesCbcHmac for CEK algorithm
if (SecurityAlgorithms.Aes128CbcHmacSha256.Equals(encryptingCredentials.Enc))
{
securityKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(256));
}
else if (SecurityAlgorithms.Aes192CbcHmacSha384.Equals(encryptingCredentials.Enc))
{
securityKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(384));
}
else if (SecurityAlgorithms.Aes256CbcHmacSha512.Equals(encryptingCredentials.Enc))
{
securityKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(512));
}
else
{
throw LogHelper.LogExceptionMessage(
new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10617, LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes128CbcHmacSha256), LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes192CbcHmacSha384), LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes256CbcHmacSha512), LogHelper.MarkAsNonPII(encryptingCredentials.Enc))));
}
kwProvider = cryptoProviderFactory.CreateKeyWrapProvider(encryptingCredentials.Key, encryptingCredentials.Alg);
wrappedKey = kwProvider.WrapKey(((SymmetricSecurityKey)securityKey).Key);
}
return(securityKey);
}
private string EncryptToken(string innerJwt, EncryptingCredentials encryptingCredentials)
{
var cryptoProviderFactory = encryptingCredentials.CryptoProviderFactory ?? encryptingCredentials.Key.CryptoProviderFactory;
if (cryptoProviderFactory == null)
{
throw LogHelper.LogExceptionMessage(new ArgumentException(LogMessages.IDX14104));
}
// if direct algorithm, look for support
if (JwtConstants.DirectKeyUseAlg.Equals(encryptingCredentials.Alg, StringComparison.Ordinal))
{
if (!cryptoProviderFactory.IsSupportedAlgorithm(encryptingCredentials.Enc, encryptingCredentials.Key))
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, encryptingCredentials.Enc, encryptingCredentials.Key)));
}
var header = new JObject();
if (!string.IsNullOrEmpty(encryptingCredentials.Alg))
{
header.Add(JwtHeaderParameterNames.Alg, encryptingCredentials.Alg);
}
if (!string.IsNullOrEmpty(encryptingCredentials.Enc))
{
header.Add(JwtHeaderParameterNames.Enc, encryptingCredentials.Enc);
}
if (!string.IsNullOrEmpty(encryptingCredentials.Key.KeyId))
{
header.Add(JwtHeaderParameterNames.Kid, encryptingCredentials.Key.KeyId);
}
header.Add(JwtHeaderParameterNames.Typ, JwtConstants.HeaderType);
var encryptionProvider = cryptoProviderFactory.CreateAuthenticatedEncryptionProvider(encryptingCredentials.Key, encryptingCredentials.Enc);
if (encryptionProvider == null)
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogMessages.IDX14103));
}
try
{
var rawHeader = Base64UrlEncoder.Encode(Encoding.UTF8.GetBytes(header.ToString(Newtonsoft.Json.Formatting.None)));
var encryptionResult = encryptionProvider.Encrypt(Encoding.UTF8.GetBytes(innerJwt), Encoding.ASCII.GetBytes(rawHeader));
return(string.Join(".", rawHeader, string.Empty, Base64UrlEncoder.Encode(encryptionResult.IV), Base64UrlEncoder.Encode(encryptionResult.Ciphertext), Base64UrlEncoder.Encode(encryptionResult.AuthenticationTag)));
}
catch (Exception ex)
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10616, encryptingCredentials.Enc, encryptingCredentials.Key), ex));
}
}
else
{
if (!cryptoProviderFactory.IsSupportedAlgorithm(encryptingCredentials.Alg, encryptingCredentials.Key))
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, encryptingCredentials.Alg, encryptingCredentials.Key)));
}
SymmetricSecurityKey symmetricKey = null;
// only 128, 384 and 512 AesCbcHmac for CEK algorithm
if (SecurityAlgorithms.Aes128CbcHmacSha256.Equals(encryptingCredentials.Enc, StringComparison.Ordinal))
{
symmetricKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(256));
}
else if (SecurityAlgorithms.Aes192CbcHmacSha384.Equals(encryptingCredentials.Enc, StringComparison.Ordinal))
{
symmetricKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(384));
}
else if (SecurityAlgorithms.Aes256CbcHmacSha512.Equals(encryptingCredentials.Enc, StringComparison.Ordinal))
{
symmetricKey = new SymmetricSecurityKey(JwtTokenUtilities.GenerateKeyBytes(512));
}
else
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10617, SecurityAlgorithms.Aes128CbcHmacSha256, SecurityAlgorithms.Aes192CbcHmacSha384, SecurityAlgorithms.Aes256CbcHmacSha512, encryptingCredentials.Enc)));
}
var kwProvider = cryptoProviderFactory.CreateKeyWrapProvider(encryptingCredentials.Key, encryptingCredentials.Alg);
var wrappedKey = kwProvider.WrapKey(symmetricKey.Key);
var encryptionProvider = cryptoProviderFactory.CreateAuthenticatedEncryptionProvider(symmetricKey, encryptingCredentials.Enc);
if (encryptionProvider == null)
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogMessages.IDX14103));
}
try
{
var header = new JObject();
if (!string.IsNullOrEmpty(encryptingCredentials.Alg))
{
header.Add(JwtHeaderParameterNames.Alg, encryptingCredentials.Alg);
}
if (!string.IsNullOrEmpty(encryptingCredentials.Enc))
{
header.Add(JwtHeaderParameterNames.Enc, encryptingCredentials.Enc);
}
if (!string.IsNullOrEmpty(encryptingCredentials.Key.KeyId))
{
header.Add(JwtHeaderParameterNames.Kid, encryptingCredentials.Key.KeyId);
}
header.Add(JwtHeaderParameterNames.Typ, JwtConstants.HeaderType);
var rawHeader = Base64UrlEncoder.Encode(Encoding.UTF8.GetBytes(header.ToString(Newtonsoft.Json.Formatting.None)));
var encryptionResult = encryptionProvider.Encrypt(Encoding.UTF8.GetBytes(innerJwt), Encoding.ASCII.GetBytes(rawHeader));
return(string.Join(".", rawHeader, Base64UrlEncoder.Encode(wrappedKey), Base64UrlEncoder.Encode(encryptionResult.IV), Base64UrlEncoder.Encode(encryptionResult.Ciphertext), Base64UrlEncoder.Encode(encryptionResult.AuthenticationTag)));
}
catch (Exception ex)
{
throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10616, encryptingCredentials.Enc, encryptingCredentials.Key), ex));
}
}
}