AzureAD · wparad · Dec 15, 2023
@@ -41,7 +41,12 @@ public class AsymmetricSignatureProvider : SignatureProvider
             { SecurityAlgorithms.RsaSsaPssSha512, 1040 },
             { SecurityAlgorithms.RsaSsaPssSha256Signature, 528 },
             { SecurityAlgorithms.RsaSsaPssSha384Signature, 784 },
-            { SecurityAlgorithms.RsaSsaPssSha512Signature, 1040 }
+            { SecurityAlgorithms.RsaSsaPssSha512Signature, 1040 },
+            { SecurityAlgorithms.EddsaEd25519Signature, 256 },
+            { SecurityAlgorithms.EddsaEd25519Sha512Signature, 256 },
+            { SecurityAlgorithms.EddsaEd25519WithContextSignature, 256 },
+            { SecurityAlgorithms.EddsaEd448Signature, 456 },
+            { SecurityAlgorithms.EddsaEd25519Shake256Signature, 456 },
         };
 
         /// <summary>
@@ -66,7 +71,12 @@ public class AsymmetricSignatureProvider : SignatureProvider
             { SecurityAlgorithms.RsaSsaPssSha512, 1040 },
             { SecurityAlgorithms.RsaSsaPssSha256Signature, 528 },
             { SecurityAlgorithms.RsaSsaPssSha384Signature, 784 },
-            { SecurityAlgorithms.RsaSsaPssSha512Signature, 1040 }
+            { SecurityAlgorithms.RsaSsaPssSha512Signature, 1040 },
+            { SecurityAlgorithms.EddsaEd25519Signature, 256 },
+            { SecurityAlgorithms.EddsaEd25519Sha512Signature, 256 },
+            { SecurityAlgorithms.EddsaEd25519WithContextSignature, 256 },
+            { SecurityAlgorithms.EddsaEd448Signature, 456 },
+            { SecurityAlgorithms.EddsaEd25519Shake256Signature, 456 },
         };
 
         internal AsymmetricSignatureProvider(SecurityKey key, string algorithm, CryptoProviderFactory cryptoProviderFactory)

@@ -103,6 +103,16 @@ public static class SecurityAlgorithms
 
         // See: https://datatracker.ietf.org/doc/html/rfc7518#section-4.6
         public const string EcdhEs = "ECDH-ES";
+
+        // See: https://www.rfc-editor.org/rfc/rfc9231.html#name-edwards-curve
+        public const string EddsaEd25519Signature = "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519";
+        public const string EddsaEd25519Sha512Signature = "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519ph";
+        public const string EddsaEd25519WithContextSignature = "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519ctx";
+        public const string EddsaEd448Signature = "   http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448";
+        public const string EddsaEd25519Shake256Signature = "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448ph";
+
+        // See: https://datatracker.ietf.org/doc/html/rfc8032
+        public const string Eddsa = "EdDSA";
 #pragma warning restore 1591
     }
 }
@@ -64,6 +64,16 @@ internal static class SupportedAlgorithms
             SecurityAlgorithms.RsaSsaPssSha512Signature
         };
 
+        internal static readonly ICollection<string> EddsaSigningAlgorithms = new Collection<string>
+        {
+            SecurityAlgorithms.EdDSA,
+            SecurityAlgorithms.EddsaEd25519Signature,
+            SecurityAlgorithms.EddsaEd25519Sha512Signature,
+            SecurityAlgorithms.EddsaEd25519WithContextSignature,
+            SecurityAlgorithms.EddsaEd448Signature,
+            SecurityAlgorithms.EddsaEd25519Shake256Signature
+        };
+
         internal static readonly ICollection<string> SymmetricEncryptionAlgorithms = new Collection<string>
         {
             SecurityAlgorithms.Aes128CbcHmacSha256,
@@ -215,6 +225,10 @@ public static bool IsSupportedAlgorithm(string algorithm, SecurityKey key)
             if (key as RsaSecurityKey != null)
                 return IsSupportedRsaAlgorithm(algorithm, key);
 
+            if (key as EddsaSecurityKey != null) {
+                return IsSupportedEddsaAlgorithm(algorithm, key);
+            }
+
             if (key is X509SecurityKey x509Key)
             {
                 // only RSA keys are supported
@@ -333,6 +347,10 @@ internal static bool IsSupportedRsaAlgorithm(string algorithm, SecurityKey key)
                 || (RsaPssSigningAlgorithms.Contains(algorithm) && IsSupportedRsaPss(key));
         }
 
+        internal static bool IsSupportedEddsaAlgorithm(string algorithm, EddsaSecurityKey key) {
+            return EddsaSigningAlgorithms.Contains(algorithm);
+        }
+
         private static bool IsSupportedRsaPss(SecurityKey key)
         {
             // RSACryptoServiceProvider doesn't support RSA-PSS
@@ -396,6 +414,14 @@ SecurityAlgorithms.RsaSsaPssSha512 or
             SecurityAlgorithms.RsaSsaPssSha512Signature or
             SecurityAlgorithms.RsaSha512Signature => 1024,
 
+            SecurityAlgorithms.EdDSA or
+            SecurityAlgorithms.EddsaEd25519Signature or
+            SecurityAlgorithms.EddsaEd25519Sha512Signature or
+            SecurityAlgorithms.EddsaEd25519WithContextSignature => 512,
+
+            SecurityAlgorithms.EddsaEd448Signature or
+            SecurityAlgorithms.EddsaEd25519Shake256Signature => 912,
+
             // if we don't know the algorithm, report 2K twice as big as any known algorithm.
             _ => 2048,
         };

@@ -70,6 +70,12 @@ public class JwtSecurityTokenHandler : SecurityTokenHandler
             { SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.RsaSha256 },
             { SecurityAlgorithms.RsaSha384Signature, SecurityAlgorithms.RsaSha384 },
             { SecurityAlgorithms.RsaSha512Signature, SecurityAlgorithms.RsaSha512 },
+
+            { SecurityAlgorithms.EddsaEd25519Signature, SecurityAlgorithms.EdDSA },
+            { SecurityAlgorithms.EddsaEd25519Sha512Signature, SecurityAlgorithms.EdDSA },
+            { SecurityAlgorithms.EddsaEd25519WithContextSignature, SecurityAlgorithms.EdDSA },
+            { SecurityAlgorithms.EddsaEd448Signature, SecurityAlgorithms.EdDSA },
+            { SecurityAlgorithms.EddsaEd25519Shake256Signature, SecurityAlgorithms.EdDSA },
         };
 
         /// <summary>