Skip to content

Commit

Permalink
Issues: 453, 1419
Browse files Browse the repository at this point in the history
  • Loading branch information
@brentschmaltz
brentschmaltz committed Jun 26, 2020
1 parent 8433d58 commit 7eb317e
Show file tree
Hide file tree
Showing 17 changed files with 622 additions and 388 deletions.
239 changes: 127 additions & 112 deletions src/Microsoft.IdentityModel.Tokens/CryptoProviderFactory.cs
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion src/Microsoft.IdentityModel.Tokens/Encryption/RsaKeyWrapProvider.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ protected override void Dispose(bool disposing)
/// <returns>true if the algorithm is supported; otherwise, false.</returns>
protected virtual bool IsSupportedAlgorithm(SecurityKey key, string algorithm)
{
return SupportedAlgorithms.IsSupportedKeyWrapAlgorithm(algorithm, key);
return SupportedAlgorithms.IsSupportedRsaKeyWrap(algorithm, key);
}

/// <summary>
Expand Down
35 changes: 9 additions & 26 deletions src/Microsoft.IdentityModel.Tokens/Encryption/SymmetricKeyWrapProvider.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,14 +152,12 @@ protected virtual SymmetricAlgorithm GetSymmetricAlgorithm(SecurityKey key, stri

byte[] keyBytes = null;

SymmetricSecurityKey symmetricSecurityKey = key as SymmetricSecurityKey;
if (symmetricSecurityKey != null)
if (key is SymmetricSecurityKey symmetricSecurityKey)
keyBytes = symmetricSecurityKey.Key;
else
else if (key is JsonWebKey jsonWebKey)
{
JsonWebKey jsonWebKey = key as JsonWebKey;
if (jsonWebKey != null && jsonWebKey.K != null && jsonWebKey.Kty == JsonWebAlgorithmsKeyTypes.Octet)
keyBytes = Base64UrlEncoder.DecodeBytes(jsonWebKey.K);
if (JsonWebKeyConverter.TryConvertToSymmetricSecurityKey(jsonWebKey, out SecurityKey securityKey))
keyBytes = (securityKey as SymmetricSecurityKey).Key;
}

if (keyBytes == null)
Expand Down Expand Up @@ -197,22 +195,7 @@ protected virtual SymmetricAlgorithm GetSymmetricAlgorithm(SecurityKey key, stri
/// <returns>true if the algorithm is supported; otherwise, false.</returns>
protected virtual bool IsSupportedAlgorithm(SecurityKey key, string algorithm)
{
if (key == null)
return false;

if (string.IsNullOrEmpty(algorithm))
return false;

if (algorithm.Equals(SecurityAlgorithms.Aes128KW, StringComparison.Ordinal) || algorithm.Equals(SecurityAlgorithms.Aes256KW, StringComparison.Ordinal))
{
if (key is SymmetricSecurityKey)
return true;

if (key is JsonWebKey jsonWebKey && jsonWebKey.K != null && jsonWebKey.Kty == JsonWebAlgorithmsKeyTypes.Octet)
return true;
}

return false;
return SupportedAlgorithms.IsSupportedSymmetricKeyWrap(algorithm, key);
}

/// <summary>
Expand Down Expand Up @@ -343,18 +326,18 @@ Return an error

private void ValidateKeySize(byte[] key, string algorithm)
{
if (SecurityAlgorithms.Aes128KW.Equals(algorithm, StringComparison.Ordinal))
if (SecurityAlgorithms.Aes128KW.Equals(algorithm, StringComparison.Ordinal) || SecurityAlgorithms.Aes128KeyWrap.Equals(algorithm, StringComparison.Ordinal))
{
if (key.Length != 16)
throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10662, SecurityAlgorithms.Aes128KW, 128, Key.KeyId, key.Length << 3)));
throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10662, algorithm, 128, Key.KeyId, key.Length << 3)));

return;
}

if (SecurityAlgorithms.Aes256KW.Equals(algorithm, StringComparison.Ordinal))
if (SecurityAlgorithms.Aes256KW.Equals(algorithm, StringComparison.Ordinal) || (SecurityAlgorithms.Aes256KeyWrap.Equals(algorithm, StringComparison.Ordinal)))
{
if (key.Length != 32)
throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10662, SecurityAlgorithms.Aes256KW, 256, Key.KeyId, key.Length << 3)));
throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10662, algorithm, 256, Key.KeyId, key.Length << 3)));

return;
}
Expand Down
18 changes: 18 additions & 0 deletions src/Microsoft.IdentityModel.Tokens/Exceptions/SecurityTokenException.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@

using System;
using System.Runtime.Serialization;
using Microsoft.IdentityModel.Logging;

namespace Microsoft.IdentityModel.Tokens
{
Expand Down Expand Up @@ -74,5 +75,22 @@ protected SecurityTokenException(SerializationInfo info, StreamingContext contex
: base(info, context)
{
}

#if NETSTANDARD2_0
/// <summary>
/// When overridden in a derived class, sets the System.Runtime.Serialization.SerializationInfo
/// with information about the exception.
/// </summary>
/// <param name="info">The <see cref="SerializationInfo"/> that holds the serialized object data about the exception being thrown.</param>
/// <param name="context">The <see cref="StreamingContext"/> that contains contextual information about the source or destination.</param>
/// <exception cref="ArgumentNullException">thrown if <paramref name="info"/> is null.</exception>
public override void GetObjectData(SerializationInfo info, StreamingContext context)
{
if (info == null)
throw LogHelper.LogArgumentNullException(nameof(info));

base.GetObjectData(info, context);
}
#endif
}
}
4 changes: 4 additions & 0 deletions src/Microsoft.IdentityModel.Tokens/Microsoft.IdentityModel.Tokens.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,10 @@
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
<PackageReference Include="SauceControl.InheritDoc" Version="1.0.0">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
</ItemGroup>

</Project>
11 changes: 11 additions & 0 deletions src/Microsoft.IdentityModel.Tokens/SecurityKey.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,17 @@ public virtual byte[] ComputeJwkThumbprint()
throw LogHelper.LogExceptionMessage(new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10710)));
}

/// <summary>
/// Checks if <see cref="SecurityKey.CryptoProviderFactory"/> can perform the cryptographic operation specified by the <paramref name="algorithm"/> with this <see cref="SecurityKey"/>.
/// </summary>
/// <param name="algorithm">the algorithm to apply.</param>
/// <returns>true if <see cref="SecurityKey.CryptoProviderFactory"/> can perform the cryptographic operation sepecified by the <paramref name="algorithm"/> with this <see cref="SecurityKey"/>.</returns>
public virtual bool IsSupportedAlgorithm(string algorithm)
{
// do not throw if algorithm is null or empty to stay in sync with CryptoProviderFactory.IsSupportedAlgorithm.
return CryptoProviderFactory.IsSupportedAlgorithm(algorithm, this);
}

/// <summary>
/// Sets the <see cref="InternalId"/> to value of <see cref="SecurityKey"/>'s JWK thumbprint if it can be computed, otherwise sets the <see cref="InternalId"/> to <see cref="string.Empty"/>.
/// </summary>
Expand Down
36 changes: 21 additions & 15 deletions src/Microsoft.IdentityModel.Tokens/SupportedAlgorithms.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ internal static class SupportedAlgorithms
SecurityAlgorithms.Sha512Digest
};

// doubles as RsaKeyWrapAlgorithms
internal static readonly ICollection<string> RsaEncryptionAlgorithms = new Collection<string>
{
SecurityAlgorithms.RsaOAEP,
Expand Down Expand Up @@ -95,7 +96,9 @@ internal static class SupportedAlgorithms
internal static readonly ICollection<string> SymmetricKeyWrapAlgorithms = new Collection<string>
{
SecurityAlgorithms.Aes128KW,
SecurityAlgorithms.Aes256KW
SecurityAlgorithms.Aes256KW,
SecurityAlgorithms.Aes128KeyWrap,
SecurityAlgorithms.Aes256KeyWrap,
};

internal static readonly ICollection<string> SymmetricSigningAlgorithms = new Collection<string>
Expand Down Expand Up @@ -181,32 +184,35 @@ internal static bool IsSupportedHashAlgorithm(string algorithm)
return HashAlgorithms.Contains(algorithm);
}

internal static bool IsSupportedKeyWrapAlgorithm(string algorithm, SecurityKey key)
internal static bool IsSupportedRsaKeyWrap(string algorithm, SecurityKey key)
{
if (key == null)
return false;

if (string.IsNullOrEmpty(algorithm))
return false;

if (key.KeySize < 2048)
if (!RsaEncryptionAlgorithms.Contains(algorithm))
return false;

if ( algorithm.Equals(SecurityAlgorithms.RsaPKCS1, StringComparison.Ordinal)
|| algorithm.Equals(SecurityAlgorithms.RsaOAEP, StringComparison.Ordinal)
|| algorithm.Equals(SecurityAlgorithms.RsaOaepKeyWrap, StringComparison.Ordinal))
{
if (key is RsaSecurityKey)
return true;
if (key is RsaSecurityKey || key is X509SecurityKey || (key is JsonWebKey rsaJsonWebKey && rsaJsonWebKey.Kty == JsonWebAlgorithmsKeyTypes.RSA))
return key.KeySize >= 2048;

if (key is X509SecurityKey)
return true;
return false;
}

if (key is JsonWebKey jsonWebKey && jsonWebKey.Kty == JsonWebAlgorithmsKeyTypes.RSA)
return true;
}
internal static bool IsSupportedSymmetricKeyWrap(string algorithm, SecurityKey key)
{
if (key == null)
return false;

return false;
if (string.IsNullOrEmpty(algorithm))
return false;

if (!SymmetricKeyWrapAlgorithms.Contains(algorithm))
return false;

return (key is SymmetricSecurityKey || (key is JsonWebKey jsonWebKey && jsonWebKey.Kty == JsonWebAlgorithmsKeyTypes.Octet));
}

internal static bool IsSupportedRsaAlgorithm(string algorithm, SecurityKey key)
Expand Down
Loading

0 comments on commit 7eb317e

Please sign in to comment.