Skip to content

Commit

Permalink
Add support for RSA-OAEP 256 (AzureAD#1293)
Browse files Browse the repository at this point in the history
removing obsoleted ifdefs since net452 support was removed
  • Loading branch information
karoberts committed May 31, 2024
1 parent 12cd3dc commit 200eebb
Show file tree
Hide file tree
Showing 10 changed files with 119 additions and 5 deletions.
11 changes: 8 additions & 3 deletions src/Microsoft.IdentityModel.Tokens/AsymmetricAdapter.cs
Original file line number Diff line number Diff line change
Expand Up @@ -199,9 +199,14 @@ private void InitializeUsingRsa(RSA rsa, string algorithm)
RSASignaturePadding = RSASignaturePadding.Pkcs1;
}

RSAEncryptionPadding = (algorithm.Equals(SecurityAlgorithms.RsaOAEP) || algorithm.Equals(SecurityAlgorithms.RsaOaepKeyWrap))
? RSAEncryptionPadding.OaepSHA1
: RSAEncryptionPadding.Pkcs1;
RSAEncryptionPadding = algorithm switch
{
SecurityAlgorithms.RsaOAEP => RSAEncryptionPadding.OaepSHA1,
SecurityAlgorithms.RsaOaepKeyWrap => RSAEncryptionPadding.OaepSHA1,
SecurityAlgorithms.RsaOAEP256 => RSAEncryptionPadding.OaepSHA256,
_ => RSAEncryptionPadding.Pkcs1
};

RSA = rsa;
_decryptFunction = DecryptWithRsa;
_encryptFunction = EncryptWithRsa;
Expand Down
1 change: 1 addition & 0 deletions src/Microsoft.IdentityModel.Tokens/SecurityAlgorithms.cs
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ public static class SecurityAlgorithms
public const string Aes256KW = "A256KW";
public const string RsaPKCS1 = "RSA1_5";
public const string RsaOAEP = "RSA-OAEP";
public const string RsaOAEP256 = "RSA-OAEP-256";

// See: https://www.w3.org/TR/xmlenc-core1/#sec-Exclusive-Canonicalization
public const string ExclusiveC14n = "http://www.w3.org/2001/10/xml-exc-c14n#";
Expand Down
1 change: 1 addition & 0 deletions src/Microsoft.IdentityModel.Tokens/SupportedAlgorithms.cs
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ internal static class SupportedAlgorithms
internal static readonly ICollection<string> RsaEncryptionAlgorithms = new Collection<string>
{
SecurityAlgorithms.RsaOAEP,
SecurityAlgorithms.RsaOAEP256,
SecurityAlgorithms.RsaPKCS1,
SecurityAlgorithms.RsaOaepKeyWrap
};
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2744,6 +2744,30 @@ public static TheoryData<CreateTokenTheoryData> RoundTripJWEKeyWrapTestCases
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256)
},
new CreateTokenTheoryData
{
TestId = "RsaOAEP256_Aes128CbcHmacSha256",
ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
Payload = Default.PayloadString,
SigningCredentials = Default.SymmetricSigningCredentials,
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes128CbcHmacSha256)
},
new CreateTokenTheoryData
{
TestId = "RsaOAEP256_Aes192CbcHmacSha384",
ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
Payload = Default.PayloadString,
SigningCredentials = Default.SymmetricSigningCredentials,
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes192CbcHmacSha384)
},
new CreateTokenTheoryData
{
TestId = "RsaOAEP256_Aes256CbcHmacSha512",
ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
Payload = Default.PayloadString,
SigningCredentials = Default.SymmetricSigningCredentials,
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes256CbcHmacSha512)
},
new CreateTokenTheoryData
{
TestId = "RsaOAEP_Aes192CbcHmacSha384",
ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,12 @@ public static TheoryData<KeyWrapProviderTheoryData> DisposeProviderTheoryData
ExpectedException = ExpectedException.NoExceptionExpected,
TestId = nameof(SecurityAlgorithms.RsaOAEP),
},
new KeyWrapProviderTheoryData
{
Algorithm = SecurityAlgorithms.RsaOAEP256,
ExpectedException = ExpectedException.NoExceptionExpected,
TestId = nameof(SecurityAlgorithms.RsaOAEP256),
},
};
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ public void DecryptValidate(KeyWrapTestParams testParams)
CryptoProviderFactory.Default.ReleaseKeyWrapProvider(keyWrapProvider);
}
else if (testParams.Algorithm.Equals(SecurityAlgorithms.RsaOAEP, StringComparison.OrdinalIgnoreCase)
|| testParams.Algorithm.Equals(SecurityAlgorithms.RsaOAEP256, StringComparison.OrdinalIgnoreCase)
|| testParams.Algorithm.Equals(SecurityAlgorithms.RsaPKCS1, StringComparison.OrdinalIgnoreCase))
{
var keyWrapProvider = CryptoProviderFactory.Default.CreateKeyWrapProvider(testParams.Key, testParams.Algorithm);
Expand Down
4 changes: 3 additions & 1 deletion test/Microsoft.IdentityModel.Tokens.Tests/ReferenceTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,9 @@ public void KeyWrapReferenceTest(KeyWrapTestParams testParams)
Assert.True(Utility.AreEqual(unwrappedKey, testParams.KeyToWrap), "Utility.AreEqual(unwrappedKey, testParams.KeyToWrap)");
}
else if (testParams.Algorithm.Equals(SecurityAlgorithms.RsaOAEP, StringComparison.OrdinalIgnoreCase)
|| testParams.Algorithm.Equals(SecurityAlgorithms.RsaPKCS1, StringComparison.OrdinalIgnoreCase))
|| testParams.Algorithm.Equals(SecurityAlgorithms.RsaPKCS1, StringComparison.OrdinalIgnoreCase)
|| testParams.Algorithm.Equals(SecurityAlgorithms.RsaOAEP256, StringComparison.OrdinalIgnoreCase)
)
{
var rsaKeyWrapProvider = CryptoProviderFactory.Default.CreateKeyWrapProvider(testParams.Key, testParams.Algorithm);
byte[] unwrappedKey = rsaKeyWrapProvider.UnwrapKey(testParams.EncryptedKey);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,14 @@ public static TheoryData<KeyWrapTheoryData> RsaKeyWrapConstructorTheoryData()
WrapKey = KeyingMaterial.RsaSecurityKey_1024
},
new KeyWrapTheoryData
{
ExpectedException = ExpectedException.SecurityTokenKeyWrapException("IDX10661:"),
TestId = "KeyTooSmall1024",
WillUnwrap = false,
WrapAlgorithm = SecurityAlgorithms.RsaOAEP256,
WrapKey = KeyingMaterial.RsaSecurityKey_1024
},
new KeyWrapTheoryData
{
ExpectedException = ExpectedException.SecurityTokenKeyWrapException("IDX10661:"),
TestId = "KeyDoesNotMatchAlgorithm",
Expand Down Expand Up @@ -205,11 +213,38 @@ public static TheoryData<KeyWrapTheoryData> RsaUnwrapMismatchTheoryData()
new KeyWrapTheoryData
{
ExpectedException = ExpectedException.KeyWrapException("IDX10659:"),
TestId = "AlgorithmAndKeyMismatchRsaPKCS1Bits4096RsaOAEKey2048",
TestId = "AlgorithmAndKeyMismatchRsaPKCS1Bits4096RsaOAEPKey2048",
UnwrapAlgorithm = SecurityAlgorithms.RsaOAEP,
UnwrapKey = KeyingMaterial.RsaSecurityKey_2048,
WrapAlgorithm = SecurityAlgorithms.RsaPKCS1,
WrapKey = KeyingMaterial.RsaSecurityKey_4096_Public,
},
new KeyWrapTheoryData
{
ExpectedException = ExpectedException.KeyWrapException("IDX10659:"),
TestId = "AlgorithmMismatchRsaPKCS1RsaOAEP256",
UnwrapAlgorithm = SecurityAlgorithms.RsaOAEP256,
UnwrapKey = KeyingMaterial.RsaSecurityKey_2048,
WrapAlgorithm = SecurityAlgorithms.RsaPKCS1,
WrapKey = KeyingMaterial.RsaSecurityKey_2048_Public
},
new KeyWrapTheoryData
{
ExpectedException = ExpectedException.KeyWrapException("IDX10659:"),
TestId = "KeyMismatchRsa4096Rsa2048",
UnwrapAlgorithm = SecurityAlgorithms.RsaOAEP256,
UnwrapKey = KeyingMaterial.RsaSecurityKey_2048,
WrapAlgorithm = SecurityAlgorithms.RsaOAEP,
WrapKey = KeyingMaterial.RsaSecurityKey_4096_Public,
},
new KeyWrapTheoryData
{
ExpectedException = ExpectedException.KeyWrapException("IDX10659:"),
TestId = "AlgorithmAndKeyMismatchRsaPKCS1Bits4096RsaOAEP256Key2048",
UnwrapAlgorithm = SecurityAlgorithms.RsaOAEP256,
UnwrapKey = KeyingMaterial.RsaSecurityKey_2048,
WrapAlgorithm = SecurityAlgorithms.RsaPKCS1,
WrapKey = KeyingMaterial.RsaSecurityKey_4096_Public,
}
};
}
Expand Down Expand Up @@ -368,6 +403,13 @@ public static TheoryData<KeyWrapTheoryData> RsaWrapUnwrapTheoryData()
ExpectedException.ArgumentNullException(),
theoryData);

AddWrapUnwrapTheoryData(
"Test4",
SecurityAlgorithms.RsaOAEP256,
KeyingMaterial.RsaSecurityKey_2048_Public,
KeyingMaterial.RsaSecurityKey_2048,
theoryData);

return theoryData;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -799,6 +799,30 @@ public static TheoryData<string, SecurityTokenDescriptor, TokenValidationParamet
ExpectedException.NoExceptionExpected
);

encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes128CbcHmacSha256);
theoryData.Add(
"RsaOAEP256-Aes128CbcHmacSha256",
Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
ExpectedException.NoExceptionExpected
);

encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes192CbcHmacSha384);
theoryData.Add(
"RsaOAEP256-Aes192CbcHmacSha384",
Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
ExpectedException.NoExceptionExpected
);

encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes256CbcHmacSha512);
theoryData.Add(
"RsaOAEP256-Aes256CbcHmacSha512",
Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
ExpectedException.NoExceptionExpected
);

encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128CbcHmacSha256);
theoryData.Add(
"RsaOaepKeyWrap-Aes128CbcHmacSha256",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2767,6 +2767,7 @@ public static TheoryData<KeyWrapTokenTheoryData> KeyWrapTokenTheoryData()
var theoryData = new TheoryData<KeyWrapTokenTheoryData>();
var handler = new JwtSecurityTokenHandler();
var rsaOAEPEncryptingCredential = new EncryptingCredentials(KeyingMaterial.DefaultX509Key_2048, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes256CbcHmacSha512);
var rsaOAEP256EncryptingCredential = new EncryptingCredentials(KeyingMaterial.DefaultX509Key_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes256CbcHmacSha512);
var rsaPKCS1EncryptingCredential = new EncryptingCredentials(KeyingMaterial.DefaultX509Key_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes256CbcHmacSha512);

theoryData.Add(new KeyWrapTokenTheoryData
Expand All @@ -2776,6 +2777,13 @@ public static TheoryData<KeyWrapTokenTheoryData> KeyWrapTokenTheoryData()
TestId = "Key wrap token test using OAEP padding"
});

theoryData.Add(new KeyWrapTokenTheoryData
{
EncryptingCredentials = rsaOAEP256EncryptingCredential,
DecryptingCredentials = rsaOAEP256EncryptingCredential,
TestId = "Key wrap token test using OAEP-256 padding"
});

theoryData.Add(new KeyWrapTokenTheoryData
{
EncryptingCredentials = rsaPKCS1EncryptingCredential,
Expand Down

0 comments on commit 200eebb

Please sign in to comment.