Reworked code around signing keys have key details much more isolated from the other parts of the program.

IdentityShroud.Core/Security/AesGcmHelper.cs

@@ -31,9 +31,8 @@ public static class AesGcmHelper
     //   • payload  – byte[] containing nonce‖ciphertext‖tag
     //   • returns  – the original plaintext bytes
     // --------------------------------------------------------------------
-    public static byte[] DecryptAesGcm(byte[] payload, byte[] key)
+    public static byte[] DecryptAesGcm(ReadOnlyMemory<byte> payload, byte[] key)
     {
-        if (payload == null) throw new ArgumentNullException(nameof(payload));
         if (key == null)     throw new ArgumentNullException(nameof(key));
         if (key.Length != 32) // 256‑bit key
             throw new ArgumentException("Key must be 256 bits (32 bytes) for AES‑256‑GCM.", nameof(key));
@@ -49,9 +48,9 @@ public static class AesGcmHelper
         if (payload.Length < nonceSize + tagSize)
             throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
 
-        ReadOnlySpan<byte> nonce = new(payload, 0, nonceSize);
-        ReadOnlySpan<byte> ciphertext = new(payload, nonceSize, payload.Length - nonceSize - tagSize);
-        ReadOnlySpan<byte> tag = new(payload, payload.Length - tagSize, tagSize);
+        ReadOnlySpan<byte> nonce = payload.Span[..nonceSize];
+        ReadOnlySpan<byte> ciphertext = payload.Span.Slice(nonceSize, payload.Length - nonceSize - tagSize);
+        ReadOnlySpan<byte> tag = payload.Span.Slice(payload.Length - tagSize, tagSize);
 
         byte[] plaintext = new byte[ciphertext.Length];
 

IdentityShroud.Core/Security/Keys/IKeyProvider.cs

@@ -0,0 +1,20 @@
+using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.Model;
+
+namespace IdentityShroud.Core.Security.Keys;
+
+public abstract class KeyPolicy
+{
+    public abstract string KeyType { get; }
+}
+
+
+public interface IKeyProvider
+{
+    byte[] CreateKey(KeyPolicy policy);
+
+    void SetJwkParameters(byte[] key, JsonWebKey jwk);
+}
+
+
+

IdentityShroud.Core/Security/Keys/IKeyProviderFactory.cs

@@ -0,0 +1,7 @@
+namespace IdentityShroud.Core.Security.Keys;
+
+
+public interface IKeyProviderFactory
+{
+    public IKeyProvider CreateProvider(string keyType);
+}

IdentityShroud.Core/Security/Keys/KeyProviderFactory.cs

@@ -0,0 +1,17 @@
+using IdentityShroud.Core.Security.Keys.Rsa;
+
+namespace IdentityShroud.Core.Security.Keys;
+
+public class KeyProviderFactory : IKeyProviderFactory
+{
+    public IKeyProvider CreateProvider(string keyType)
+    {
+        switch (keyType)
+        {
+            case "RSA":
+                return new RsaProvider();
+            default:
+                throw new NotImplementedException();
+        }
+    }
+}

IdentityShroud.Core/Security/Keys/Rsa/RsaProvider.cs

@@ -0,0 +1,37 @@
+using System.Buffers.Text;
+using System.Security.Cryptography;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.Model;
+
+namespace IdentityShroud.Core.Security.Keys.Rsa;
+
+public class RsaKeyPolicy : KeyPolicy
+{
+    public override string KeyType => "RSA";
+    public int KeySize { get; } = 2048;
+}
+
+public class RsaProvider : IKeyProvider
+{
+    public byte[] CreateKey(KeyPolicy policy)
+    {
+        if (policy is RsaKeyPolicy p)
+        {
+            using var rsa = RSA.Create(p.KeySize);
+            return rsa.ExportPkcs8PrivateKey();
+        }
+
+        throw new ArgumentException("Incorrect policy type", nameof(policy));
+    }
+
+    public void SetJwkParameters(byte[] key, JsonWebKey jwk)
+    {
+        using var rsa = RSA.Create();
+        rsa.ImportPkcs8PrivateKey(key, out _);
+        var parameters = rsa.ExportParameters(includePrivateParameters: false);
+
+        jwk.Exponent = Base64Url.EncodeToString(parameters.Exponent);
+        jwk.Modulus = Base64Url.EncodeToString(parameters.Modulus);
+    }
+}