Implement jwks endpoint and add test for it.

This also let to some improvements/cleanups of the other tests and fixtures.
2026-02-15 19:06:09 +01:00 · 2026-02-15 19:06:09 +01:00 · ccb06b260c
commit ccb06b260c
parent a80c133e2a
24 changed files with 353 additions and 107 deletions
--- a/IdentityShroud.Core/Security/AesGcmHelper.cs
+++ b/IdentityShroud.Core/Security/AesGcmHelper.cs
@ -7,14 +7,22 @@ public static class AesGcmHelper
    
    public static byte[] EncryptAesGcm(byte[] plaintext, byte[] key)
    {
-        using var aes = new AesGcm(key);
-        byte[] nonce = RandomNumberGenerator.GetBytes(AesGcm.NonceByteSizes.MaxSize);
-        byte[] ciphertext = new byte[plaintext.Length];
-        byte[] tag = new byte[AesGcm.TagByteSizes.MaxSize];
+        int tagSize = AesGcm.TagByteSizes.MaxSize;
+        using var aes = new AesGcm(key, tagSize);
+        
+        Span<byte> nonce = stackalloc byte[AesGcm.NonceByteSizes.MaxSize];
+        RandomNumberGenerator.Fill(nonce);
+        Span<byte> ciphertext = stackalloc byte[plaintext.Length];
+        Span<byte> tag = stackalloc byte[tagSize];

        aes.Encrypt(nonce, plaintext, ciphertext, tag);
-        // Return concatenated nonce|ciphertext|tag (or store separately)
-        return nonce.Concat(ciphertext).Concat(tag).ToArray();
+
+        // Return concatenated nonce|ciphertext|tag
+        var result = new byte[nonce.Length + ciphertext.Length + tag.Length];
+        nonce.CopyTo(result.AsSpan(0, nonce.Length));
+        ciphertext.CopyTo(result.AsSpan(nonce.Length, ciphertext.Length));
+        tag.CopyTo(result.AsSpan(nonce.Length + ciphertext.Length, tag.Length));
+        return result;
    }
    
    // --------------------------------------------------------------------
@ -44,11 +52,10 @@ public static class AesGcmHelper
        ReadOnlySpan<byte> nonce = new(payload, 0, nonceSize);
        ReadOnlySpan<byte> ciphertext = new(payload, nonceSize, payload.Length - nonceSize - tagSize);
        ReadOnlySpan<byte> tag = new(payload, payload.Length - tagSize, tagSize);
-        

        byte[] plaintext = new byte[ciphertext.Length];

-        using var aes = new AesGcm(key);
+        using var aes = new AesGcm(key, tagSize);
        try
        {
            aes.Decrypt(nonce, ciphertext, tag, plaintext);
--- a/IdentityShroud.Core/Security/JsonWebAlgorithm.cs
+++ b/IdentityShroud.Core/Security/JsonWebAlgorithm.cs
@ -0,0 +1,8 @@
+using System.Security.Cryptography;
+
+namespace IdentityShroud.Core.Security;
+
+public static class JsonWebAlgorithm
+{
+    public const string RS256 = "RS256";
+}
--- a/IdentityShroud.Core/Security/RsaHelper.cs
+++ b/IdentityShroud.Core/Security/RsaHelper.cs
@ -4,4 +4,13 @@ namespace IdentityShroud.Core.Security;

 public static class RsaHelper
 {
+    /// <summary>
+    /// Load RSA private key from PKCS#8 format
+    /// </summary>
+    public static RSA LoadFromPkcs8(byte[] pkcs8Key)
+    {
+        var rsa = RSA.Create();
+        rsa.ImportPkcs8PrivateKey(pkcs8Key, out _);
+        return rsa;
+    }
 }