eelke/IdentityShroud
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

Reworked code around signing keys have key details much more isolated from the other parts of the program.

Browse source
This commit is contained in:
eelke 2026-02-21 20:15:46 +01:00
parent eb872a4f44
commit 0c6f227049
40 changed files with 474 additions and 281 deletions
Download patch file Download diff file Expand all files Collapse all files

3
IdentityShroud.Core/Contracts/IClientService.cs
View file

@ -6,7 +6,7 @@ namespace IdentityShroud.Core.Contracts;
public class ClientCreateRequest
{
public string ClientId { get; set; }
public required string ClientId { get; set; }
public string? Name { get; set; }
public string? Description { get; set; }
public string? SignatureAlgorithm { get; set; }
@ -22,4 +22,5 @@ public interface IClientService
CancellationToken ct = default);
Task<Client?> GetByClientId(string clientId, CancellationToken ct = default);
Task<Client?> FindById(int id, CancellationToken ct = default);
}

2
IdentityShroud.Core/Contracts/IEncryptionService.cs
View file

@ -3,5 +3,5 @@ namespace IdentityShroud.Core.Contracts;
public interface IEncryptionService
{
byte[] Encrypt(byte[] plain);
byte[] Decrypt(byte[] cipher);
byte[] Decrypt(ReadOnlyMemory<byte> cipher);
}

8
IdentityShroud.Core/Contracts/IKeyProvisioningService.cs
View file

@ -1,8 +0,0 @@
using IdentityShroud.Core.Model;
namespace IdentityShroud.Core.Contracts;
public interface IKeyProvisioningService
{
RealmKey CreateRsaKey(int keySize = 2048);
}

12
IdentityShroud.Core/Contracts/IKeyService.cs Normal file
View file

@ -0,0 +1,12 @@
using IdentityShroud.Core.Messages;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security.Keys;
namespace IdentityShroud.Core.Contracts;
public interface IKeyService
{
RealmKey CreateKey(KeyPolicy policy);
JsonWebKey? CreateJsonWebKey(RealmKey realmKey);
}

1
IdentityShroud.Core/Contracts/IRealmService.cs
View file

@ -6,6 +6,7 @@ namespace IdentityShroud.Core.Contracts;
public interface IRealmService
{
Task<Realm?> FindById(Guid id, CancellationToken ct = default);
Task<Realm?> FindBySlug(string slug, CancellationToken ct = default);
Task<Result<RealmCreateResponse>> Create(RealmCreateRequest request, CancellationToken ct = default);

73
IdentityShroud.Core/DTO/JsonWebKey.cs Normal file
View file

@ -0,0 +1,73 @@
using System.Buffers;
using System.Buffers.Text;
using System.Text.Json;
using System.Text.Json.Serialization;
namespace IdentityShroud.Core.Messages;
// https://www.rfc-editor.org/rfc/rfc7517.html
public class JsonWebKey
{
[JsonPropertyName("kty")]
public string KeyType { get; set; } = "RSA";
// Common values sig(nature) enc(ryption)
[JsonPropertyName("use")]
public string? Use { get; set; } = "sig"; // "sig" for signature, "enc" for encryption
// Per standard this field is optional, commented out for now as it seems not
// have any good use in an identity server. Anyone validating tokens should use
// the algorithm specified in the header of the token.
// [JsonPropertyName("alg")]
// public string? Algorithm { get; set; } = "RS256";
[JsonPropertyName("kid")]
public required string KeyId { get; set; }
// RSA Public Key Components
[JsonPropertyName("n")]
public string? Modulus { get; set; }
[JsonPropertyName("e")]
public string? Exponent { get; set; }
// ECdsa
public string? Curve { get; set; }
[JsonConverter(typeof(Base64UrlConverter))]
public byte[]? X { get; set; }
[JsonConverter(typeof(Base64UrlConverter))]
public byte[]? Y { get; set; }
// Optional fields
// [JsonPropertyName("x5c")]
// [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
// public List<string>? X509CertificateChain { get; set; }
//
// [JsonPropertyName("x5t")]
// [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
// public string? X509CertificateThumbprint { get; set; }
}
public class Base64UrlConverter : JsonConverter<byte[]>
{
public override byte[] Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
{
// GetValueSpan gives you the raw UTF-8 bytes of the JSON string value
if (reader.HasValueSequence)
{
var valueSequence = reader.ValueSequence.ToArray();
return Base64Url.DecodeFromUtf8(valueSequence);
}
return Base64Url.DecodeFromUtf8(reader.ValueSpan);
}
public override void Write(Utf8JsonWriter writer, byte[] value, JsonSerializerOptions options)
{
int encodedLength = Base64Url.GetEncodedLength(value.Length);
Span<byte> buffer = encodedLength <= 256 ? stackalloc byte[encodedLength] : new byte[encodedLength];
Base64Url.EncodeToUtf8(value, buffer);
writer.WriteStringValue(buffer);
}
}

9
IdentityShroud.Core/DTO/JsonWebKeySet.cs Normal file
View file

@ -0,0 +1,9 @@
using System.Text.Json.Serialization;
namespace IdentityShroud.Core.Messages;
public class JsonWebKeySet
{
[JsonPropertyName("keys")]
public List<JsonWebKey> Keys { get; set; } = new List<JsonWebKey>();
}

1
IdentityShroud.Core/IdentityShroud.Core.csproj
View file

@ -11,6 +11,7 @@
<PackageReference Include="FluentResults" Version="4.0.0" />
<PackageReference Include="FluentValidation" Version="12.1.1" />
<PackageReference Include="jose-jwt" Version="5.2.0" />
<PackageReference Include="LanguageExt.Core" Version="4.4.9" />
<PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
<PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
</ItemGroup>

2
IdentityShroud.Core/Model/Client.cs
View file

@ -10,7 +10,7 @@ namespace IdentityShroud.Core.Model;
public class Client
{
[Key]
public Guid Id { get; set; }
public int Id { get; set; }
public Guid RealmId { get; set; }
[MaxLength(40)]
public required string ClientId { get; set; }

9
IdentityShroud.Core/Security/AesGcmHelper.cs
View file

@ -31,9 +31,8 @@ public static class AesGcmHelper
// • payload byte[] containing nonce‖ciphertext‖tag
// • returns the original plaintext bytes
// --------------------------------------------------------------------
public static byte[] DecryptAesGcm(byte[] payload, byte[] key)
public static byte[] DecryptAesGcm(ReadOnlyMemory<byte> payload, byte[] key)
{
if (payload == null) throw new ArgumentNullException(nameof(payload));
if (key == null) throw new ArgumentNullException(nameof(key));
if (key.Length != 32) // 256bit key
throw new ArgumentException("Key must be 256bits (32 bytes) for AES256GCM.", nameof(key));
@ -49,9 +48,9 @@ public static class AesGcmHelper
if (payload.Length < nonceSize + tagSize)
throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
ReadOnlySpan<byte> nonce = new(payload, 0, nonceSize);
ReadOnlySpan<byte> ciphertext = new(payload, nonceSize, payload.Length - nonceSize - tagSize);
ReadOnlySpan<byte> tag = new(payload, payload.Length - tagSize, tagSize);
ReadOnlySpan<byte> nonce = payload.Span[..nonceSize];
ReadOnlySpan<byte> ciphertext = payload.Span.Slice(nonceSize, payload.Length - nonceSize - tagSize);
ReadOnlySpan<byte> tag = payload.Span.Slice(payload.Length - tagSize, tagSize);
byte[] plaintext = new byte[ciphertext.Length];

20
IdentityShroud.Core/Security/Keys/IKeyProvider.cs Normal file
View file

@ -0,0 +1,20 @@
using IdentityShroud.Core.Messages;
using IdentityShroud.Core.Model;
namespace IdentityShroud.Core.Security.Keys;
public abstract class KeyPolicy
{
public abstract string KeyType { get; }
}
public interface IKeyProvider
{
byte[] CreateKey(KeyPolicy policy);
void SetJwkParameters(byte[] key, JsonWebKey jwk);
}

7
IdentityShroud.Core/Security/Keys/IKeyProviderFactory.cs Normal file
View file

@ -0,0 +1,7 @@
namespace IdentityShroud.Core.Security.Keys;
public interface IKeyProviderFactory
{
public IKeyProvider CreateProvider(string keyType);
}

17
IdentityShroud.Core/Security/Keys/KeyProviderFactory.cs Normal file
View file

@ -0,0 +1,17 @@
using IdentityShroud.Core.Security.Keys.Rsa;
namespace IdentityShroud.Core.Security.Keys;
public class KeyProviderFactory : IKeyProviderFactory
{
public IKeyProvider CreateProvider(string keyType)
{
switch (keyType)
{
case "RSA":
return new RsaProvider();
default:
throw new NotImplementedException();
}
}
}

37
IdentityShroud.Core/Security/Keys/Rsa/RsaProvider.cs Normal file
View file

@ -0,0 +1,37 @@
using System.Buffers.Text;
using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Messages;
using IdentityShroud.Core.Model;
namespace IdentityShroud.Core.Security.Keys.Rsa;
public class RsaKeyPolicy : KeyPolicy
{
public override string KeyType => "RSA";
public int KeySize { get; } = 2048;
}
public class RsaProvider : IKeyProvider
{
public byte[] CreateKey(KeyPolicy policy)
{
if (policy is RsaKeyPolicy p)
{
using var rsa = RSA.Create(p.KeySize);
return rsa.ExportPkcs8PrivateKey();
}
throw new ArgumentException("Incorrect policy type", nameof(policy));
}
public void SetJwkParameters(byte[] key, JsonWebKey jwk)
{
using var rsa = RSA.Create();
rsa.ImportPkcs8PrivateKey(key, out _);
var parameters = rsa.ExportParameters(includePrivateParameters: false);
jwk.Exponent = Base64Url.EncodeToString(parameters.Exponent);
jwk.Modulus = Base64Url.EncodeToString(parameters.Modulus);
}
}

6
IdentityShroud.Core/Services/ClientService.cs
View file

@ -14,7 +14,6 @@ public class ClientService(
{
Client client = new()
{
Id = Guid.NewGuid(),
RealmId = realmId,
ClientId = request.ClientId,
Name = request.Name,
@ -40,6 +39,11 @@ public class ClientService(
return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId, ct);
}
public async Task<Client?> FindById(int id, CancellationToken ct = default)
{
return await db.Clients.FirstOrDefaultAsync(c => c.Id == id, ct);
}
private ClientSecret CreateSecret()
{
byte[] secret = RandomNumberGenerator.GetBytes(24);

2
IdentityShroud.Core/Services/EncryptionService.cs
View file

@ -20,7 +20,7 @@ public class EncryptionService : IEncryptionService
return AesGcmHelper.EncryptAesGcm(plain, encryptionKey);
}
public byte[] Decrypt(byte[] cipher)
public byte[] Decrypt(ReadOnlyMemory<byte> cipher)
{
return AesGcmHelper.DecryptAesGcm(cipher, encryptionKey);
}

30
IdentityShroud.Core/Services/KeyProvisioningService.cs
View file

@ -1,30 +0,0 @@
using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Model;
namespace IdentityShroud.Core.Services;
public class KeyProvisioningService(
IEncryptionService encryptionService,
IClock clock) : IKeyProvisioningService
{
public RealmKey CreateRsaKey(int keySize = 2048)
{
using var rsa = RSA.Create(keySize);
return CreateKey("RSA", rsa.ExportPkcs8PrivateKey());
}
private RealmKey CreateKey(string keyType, byte[] keyData) =>
new RealmKey(
Guid.NewGuid(),
keyType,
encryptionService.Encrypt(keyData),
clock.UtcNow());
// public byte[] GetPrivateKey(IEncryptionService encryptionService)
// {
// if (_privateKeyDecrypted.Length == 0 && PrivateKeyEncrypted.Length > 0)
// _privateKeyDecrypted = encryptionService.Decrypt(PrivateKeyEncrypted);
// return _privateKeyDecrypted;
// }
}

52
IdentityShroud.Core/Services/KeyService.cs Normal file
View file

@ -0,0 +1,52 @@
using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Messages;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security.Keys;
namespace IdentityShroud.Core.Services;
public class KeyService(
IEncryptionService cryptor,
IKeyProviderFactory keyProviderFactory,
IClock clock) : IKeyService
{
public RealmKey CreateKey(KeyPolicy policy)
{
IKeyProvider provider = keyProviderFactory.CreateProvider(policy.KeyType);
var plainKey = provider.CreateKey(policy);
return CreateKey(policy.KeyType, plainKey);
}
public JsonWebKey? CreateJsonWebKey(RealmKey realmKey)
{
JsonWebKey jwk = new()
{
KeyId = realmKey.Id.ToString(),
KeyType = realmKey.KeyType,
Use = "sig",
};
IKeyProvider provider = keyProviderFactory.CreateProvider(realmKey.KeyType);
provider.SetJwkParameters(
cryptor.Decrypt(realmKey.KeyDataEncrypted),
jwk);
return jwk;
}
private RealmKey CreateKey(string keyType, byte[] plainKey) =>
new RealmKey(
Guid.NewGuid(),
keyType,
cryptor.Encrypt(plainKey),
clock.UtcNow());
// public byte[] GetPrivateKey(IEncryptionService encryptionService)
// {
// if (_privateKeyDecrypted.Length == 0 && PrivateKeyEncrypted.Length > 0)
// _privateKeyDecrypted = encryptionService.Decrypt(PrivateKeyEncrypted);
// return _privateKeyDecrypted;
// }
}

21
IdentityShroud.Core/Services/RealmService.cs
View file

@ -3,6 +3,8 @@ using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Helpers;
using IdentityShroud.Core.Messages.Realm;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security.Keys;
using IdentityShroud.Core.Security.Keys.Rsa;
using Microsoft.EntityFrameworkCore;
namespace IdentityShroud.Core.Services;
@ -11,8 +13,14 @@ public record RealmCreateResponse(Guid Id, string Slug, string Name);
public class RealmService(
Db db,
IKeyProvisioningService keyProvisioningService) : IRealmService
IKeyService keyService) : IRealmService
{
public async Task<Realm?> FindById(Guid id, CancellationToken ct = default)
{
return await db.Realms
.SingleOrDefaultAsync(r => r.Id == id, ct);
}
public async Task<Realm?> FindBySlug(string slug, CancellationToken ct = default)
{
return await db.Realms
@ -26,8 +34,9 @@ public class RealmService(
Id = request.Id ?? Guid.CreateVersion7(),
Slug = request.Slug ?? SlugHelper.GenerateSlug(request.Name),
Name = request.Name,
Keys = [ keyProvisioningService.CreateRsaKey() ],
};
realm.Keys.Add(keyService.CreateKey(GetKeyPolicy(realm)));
db.Add(realm);
await db.SaveChangesAsync(ct);
@ -36,6 +45,14 @@ public class RealmService(
realm.Id, realm.Slug, realm.Name);
}
/// <summary>
/// Place holder for getting policies from the realm and falling back to sane defaults when no policies have been set.
/// </summary>
/// <param name="_"></param>
/// <returns></returns>
private KeyPolicy GetKeyPolicy(Realm _) => new RsaKeyPolicy();
public async Task LoadActiveKeys(Realm realm)
{
await db.Entry(realm).Collection(r => r.Keys)