Miscelanious trials

IdentityShroud.Core/Security/AesGcmHelper.cs

@@ -0,0 +1,64 @@
+using System.Security.Cryptography;
+
+namespace IdentityShroud.Core.Security;
+
+public static class AesGcmHelper
+{
+    
+    public static byte[] EncryptAesGcm(byte[] plaintext, byte[] key)
+    {
+        using var aes = new AesGcm(key);
+        byte[] nonce = RandomNumberGenerator.GetBytes(AesGcm.NonceByteSizes.MaxSize);
+        byte[] ciphertext = new byte[plaintext.Length];
+        byte[] tag = new byte[AesGcm.TagByteSizes.MaxSize];
+
+        aes.Encrypt(nonce, plaintext, ciphertext, tag);
+        // Return concatenated nonce|ciphertext|tag (or store separately)
+        return nonce.Concat(ciphertext).Concat(tag).ToArray();
+    }
+    
+    // --------------------------------------------------------------------
+    // DecryptAesGcm
+    //   • key      – 32‑byte (256‑bit) secret key (same key used for encryption)
+    //   • payload  – byte[] containing nonce‖ciphertext‖tag
+    //   • returns  – the original plaintext bytes
+    // --------------------------------------------------------------------
+    public static byte[] DecryptAesGcm(byte[] payload, byte[] key)
+    {
+        if (payload == null) throw new ArgumentNullException(nameof(payload));
+        if (key == null)     throw new ArgumentNullException(nameof(key));
+        if (key.Length != 32) // 256‑bit key
+            throw new ArgumentException("Key must be 256 bits (32 bytes) for AES‑256‑GCM.", nameof(key));
+
+        // ----------------------------------------------------------------
+        // 1️⃣ Extract the three components.
+        // ----------------------------------------------------------------
+        // AesGcm.NonceByteSizes.MaxSize = 12 bytes (standard GCM nonce length)
+        // AesGcm.TagByteSizes.MaxSize   = 16 bytes (128‑bit authentication tag)
+        int nonceSize = AesGcm.NonceByteSizes.MaxSize; // 12
+        int tagSize   = AesGcm.TagByteSizes.MaxSize;   // 16
+
+        if (payload.Length < nonceSize + tagSize)
+            throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
+
+        ReadOnlySpan<byte> nonce = new(payload, 0, nonceSize);
+        ReadOnlySpan<byte> ciphertext = new(payload, nonceSize, payload.Length - nonceSize - tagSize);
+        ReadOnlySpan<byte> tag = new(payload, payload.Length - tagSize, tagSize);
+        
+
+        byte[] plaintext = new byte[ciphertext.Length];
+
+        using var aes = new AesGcm(key);
+        try
+        {
+            aes.Decrypt(nonce, ciphertext, tag, plaintext);
+        }
+        catch (CryptographicException ex)
+        {
+            // Tag verification failed → tampering or wrong key/nonce.
+            throw new InvalidOperationException("Decryption failed – authentication tag mismatch.", ex);
+        }
+
+        return plaintext;
+    }
+}

IdentityShroud.Core/Security/JwtSignatureGenerator.cs

@@ -0,0 +1,38 @@
+using System.Security.Cryptography;
+using System.Text;
+using Microsoft.AspNetCore.WebUtilities;
+
+namespace IdentityShroud.Core;
+
+public class JwtSignatureGenerator
+{
+    /// <summary>
+    /// Generates a JWT signature using RS256 algorithm
+    /// </summary>
+    /// <param name="headerBase64Url">Base64Url encoded header</param>
+    /// <param name="payloadBase64Url">Base64Url encoded payload</param>
+    /// <param name="privateKey">RSA private key (PEM format or RSA parameters)</param>
+    /// <returns>Base64Url encoded signature</returns>
+    public static string GenerateRS256Signature(string headerBase64Url, string payloadBase64Url, RSA privateKey)
+    {
+        // Combine header and payload with a period
+        string dataToSign = $"{headerBase64Url}.{payloadBase64Url}";
+
+        // Convert to bytes
+        byte[] dataBytes = Encoding.UTF8.GetBytes(dataToSign);
+
+        // Sign the data using RSA-SHA256
+        byte[] signatureBytes = privateKey.SignData(dataBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+
+        // Convert signature to Base64Url encoding
+        string signature = WebEncoders.Base64UrlEncode(signatureBytes);
+
+        return signature;
+    }
+    
+    public static string GenerateCompleteJwt(string headerBase64Url, string payloadBase64Url, RSA privateKey)
+    {
+        string signature = GenerateRS256Signature(headerBase64Url, payloadBase64Url, privateKey);
+        return $"{headerBase64Url}.{payloadBase64Url}.{signature}";
+    }    
+}