jwt-dotnet · CADBIMDeveloper · Jan 27, 2024 · Jan 27, 2024 · Jan 27, 2024 · Feb 4, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Unreleased
 
+# JWT 11.0.0-beta3
+
+- Added support ofr JSON web keys
+
 # JWT.Extensions.AspNetCore 11.0.0-beta3
 
 - Converted to use the event model to allow dependency injection with custom event classes.
@@ -47,4 +51,4 @@
 - Renamed default IdentityFactory in Jwt.Extensions.AspNetCore, opened up for inheritance, extension (#428)
 - Added Encode(T) and Encode(Type, object) to JwtBuilder (#415)
 - Updated Newtonsoft.Json to version 13.0.1
-- Fixed typos in exception messages
+- Fixed typos in exception messages
diff --git a/src/JWT/Algorithms/HMACSHA256Algorithm.cs b/src/JWT/Algorithms/HMACSHA256Algorithm.cs
@@ -7,6 +7,16 @@ namespace JWT.Algorithms
     /// </summary>
     public sealed class HMACSHA256Algorithm : HMACSHAAlgorithm
     {
+        public HMACSHA256Algorithm()
+        {
+
+        }
+
+        internal HMACSHA256Algorithm(byte[] key) : base(key)
+        {
+
+        }
+
         /// <inheritdoc />
         public override string Name => nameof(JwtAlgorithmName.HS256);
 

diff --git a/src/JWT/Algorithms/HMACSHA384Algorithm.cs b/src/JWT/Algorithms/HMACSHA384Algorithm.cs
@@ -7,6 +7,16 @@ namespace JWT.Algorithms
     /// </summary>
     public sealed class HMACSHA384Algorithm : HMACSHAAlgorithm
     {
+        public HMACSHA384Algorithm()
+        {
+
+        }
+
+        internal HMACSHA384Algorithm(byte[] key) : base(key)
+        {
+
+        }
+
         /// <inheritdoc />
         public override string Name => nameof(JwtAlgorithmName.HS384);
 

diff --git a/src/JWT/Algorithms/HMACSHA512Algorithm.cs b/src/JWT/Algorithms/HMACSHA512Algorithm.cs
@@ -6,7 +6,17 @@ namespace JWT.Algorithms
     /// HMAC using SHA-512
     /// </summary>
     public sealed class HMACSHA512Algorithm : HMACSHAAlgorithm
-    {
+    {   
+        public HMACSHA512Algorithm()
+        {
+
+        }
+
+        internal HMACSHA512Algorithm(byte[] key) : base(key)
+        {
+
+        }
+
         /// <inheritdoc />
         public override string Name => nameof(JwtAlgorithmName.HS512);
 

diff --git a/src/JWT/Algorithms/HMACSHAAlgorithm.cs b/src/JWT/Algorithms/HMACSHAAlgorithm.cs
@@ -2,8 +2,18 @@
 
 namespace JWT.Algorithms
 {
-    public abstract class HMACSHAAlgorithm : IJwtAlgorithm
+    public abstract class HMACSHAAlgorithm : ISymmetricAlgorithm
     {
+        protected HMACSHAAlgorithm()
+        {
+
+        }
+
+        protected HMACSHAAlgorithm(byte[] key)
+        {
+            this.Key = key;
+        }
+
         /// <inheritdoc />
         public abstract string Name { get; }
 
@@ -13,10 +23,12 @@ public abstract class HMACSHAAlgorithm : IJwtAlgorithm
         /// <inheritdoc />
         public byte[] Sign(byte[] key, byte[] bytesToSign)
         {
-            using var sha = CreateAlgorithm(key);
+            using var sha = CreateAlgorithm(key ?? this.Key);
             return sha.ComputeHash(bytesToSign);
         }
 
+        public byte[] Key { get; }
+
         protected abstract HMAC CreateAlgorithm(byte[] key);
     }
 }
diff --git a/src/JWT/Algorithms/HMACSHAAlgorithmFactory.cs b/src/JWT/Algorithms/HMACSHAAlgorithmFactory.cs
@@ -5,16 +5,28 @@ namespace JWT.Algorithms
     /// <inheritdoc />
     public class HMACSHAAlgorithmFactory : JwtAlgorithmFactory
     {
+        private readonly byte[] _key;
+
+        public HMACSHAAlgorithmFactory()
+        {
+
+        }
+
+        public HMACSHAAlgorithmFactory(byte[] key)
+        {
+            _key = key;
+        }
+
         protected override IJwtAlgorithm Create(JwtAlgorithmName algorithm)
         {
             switch (algorithm)
             {
                 case JwtAlgorithmName.HS256:
-                    return new HMACSHA256Algorithm();
+                    return new HMACSHA256Algorithm(_key);
                 case JwtAlgorithmName.HS384:
-                    return new HMACSHA384Algorithm();
+                    return new HMACSHA384Algorithm(_key);
                 case JwtAlgorithmName.HS512:
-                    return new HMACSHA512Algorithm();
+                    return new HMACSHA512Algorithm(_key);
                 case JwtAlgorithmName.RS256:
                 case JwtAlgorithmName.RS384:
                 case JwtAlgorithmName.RS512:

diff --git a/src/JWT/Algorithms/ISymmetricAlgorithm.cs b/src/JWT/Algorithms/ISymmetricAlgorithm.cs
@@ -0,0 +1,10 @@
+namespace JWT.Algorithms
+{
+    /// <summary>
+    /// Represents a symmetric algorithm to generate or validate JWT signature.
+    /// </summary>
+    public interface ISymmetricAlgorithm : IJwtAlgorithm
+    {
+        byte[] Key { get; }
+    }
+}
diff --git a/src/JWT/Builder/JwtBuilder.cs b/src/JWT/Builder/JwtBuilder.cs
@@ -2,6 +2,7 @@
 using System.Linq;
 using System.Reflection;
 using JWT.Algorithms;
+using JWT.Jwk;
 using JWT.Serializers;
 using Newtonsoft.Json;
 
@@ -34,6 +35,8 @@ public sealed class JwtBuilder
         private IAlgorithmFactory _algFactory;
         private byte[][] _secrets;
 
+        private JwtWebKeysCollection _webKeysCollection;
+
         /// <summary>
         /// Creates a new instance of instance <see cref="JwtBuilder" />
         /// </summary>
@@ -170,6 +173,96 @@ public JwtBuilder WithAlgorithmFactory(IAlgorithmFactory algFactory)
             return this;
         }
 
+        /// <summary>
+        /// Sets Json Web Key Set
+        /// </summary>
+        /// <param name="webKeysCollection"></param>
+        /// <returns>Current builder instance.</returns>
+        public JwtBuilder WithJsonWebKeySet(JwtWebKeysCollection webKeysCollection)
+        {
+            _webKeysCollection = webKeysCollection;
+            _algFactory = new JwtJsonWebKeySetAlgorithmFactory(webKeysCollection);
+            return this;
+        }
+
+        /// <summary>
+        /// Sets Json Web Key Set
+        /// </summary>
+        /// <param name="getJsonWebKeys"></param>
+        /// <returns>Current builder instance.</returns>
+        public JwtBuilder WithJsonWebKeySet(Func<JwtWebKeysCollection> getJsonWebKeys)
+        {
+            return WithJsonWebKeySet(getJsonWebKeys());
+        }
+
+        /// <summary>
+        /// Sets Json Web Key Set
+        /// </summary>
+        /// <param name="webKeysCollectionFactory"></param>
+        /// <returns>Current builder instance.</returns>
+        public JwtBuilder WithJsonWebKeySet(IJwtWebKeysCollectionFactory webKeysCollectionFactory)
+        {
+            return WithJsonWebKeySet(webKeysCollectionFactory.CreateKeys());
+        }
+
+        /// <summary>
+        /// Sets Json Web Key Set
+        /// </summary>
+        /// <param name="keySet"></param>
+        /// <returns>Current builder instance.</returns>
+        public JwtBuilder WithJsonWebKeySet(string keySet)
+        {
+            return WithJsonWebKeySet(new JwtWebKeysCollection(keySet, _jsonSerializerFactory));
+        }
+
+        /// <summary>
+        /// Sets Json Web Key
+        /// </summary>
+        /// <param name="keyId">Key id in the JSON Web Key Set</param>
+        /// <param name="algorithmName">JWT algorithm name</param>
+        /// <returns>Current builder instance</returns>
+        /// <exception cref="InvalidOperationException"></exception>
+        public JwtBuilder WithJsonWebKey(string keyId, JwtAlgorithmName algorithmName)
+        {
+            if (_webKeysCollection == null)
+                throw new InvalidOperationException("JSON Web Key Set collection has not been initialized yet");
+
+            var key = _webKeysCollection.Find(keyId);
+
+            if (key == null)
+                throw new InvalidOperationException("The key id is not presented in the JSON Web key set");
+
+            return WithJsonWebKey(key, algorithmName);
+        }
+
+        /// <summary>
+        /// Sets Json Web Key
+        /// </summary>
+        /// <param name="key">JSON Web Key</param>
+        /// <param name="algorithmName">JWT algorithm name</param>
+        /// <returns>Current builder instance</returns>
+        /// <exception cref="ArgumentNullException"></exception>
+        public JwtBuilder WithJsonWebKey(JwtWebKey key, JwtAlgorithmName algorithmName)
+        {
+            if (key == null)
+                throw new ArgumentNullException(nameof(key), "JSON Web Key has not been provided");
+
+            var factory = new JwtJsonWebKeyAlgorithmFactory(key);
+
+            var context = new JwtDecoderContext
+            {
+                Header = new JwtHeader
+                {
+                    Algorithm = algorithmName.ToString(),
+                    KeyId = key.KeyId
+                }
+            };
+
+            _algorithm = factory.Create(context);
+
+            return AddHeader(HeaderName.KeyId, key.KeyId);
+        }
+
         /// <summary>
         /// Sets JWT algorithm.
         /// </summary>

diff --git a/src/JWT/Exceptions/InvalidJsonWebKeyEllipticCurveTypeException.cs b/src/JWT/Exceptions/InvalidJsonWebKeyEllipticCurveTypeException.cs
@@ -0,0 +1,13 @@
+using System;
+
+namespace JWT.Exceptions
+{
+    public class InvalidJsonWebKeyEllipticCurveTypeException : ArgumentOutOfRangeException
+    {
+        public InvalidJsonWebKeyEllipticCurveTypeException(string ellipticCurveType)
+            : base($"{ellipticCurveType} is not defined in RFC751")
+        {
+
+        }
+    }
+}
diff --git a/src/JWT/Exceptions/InvalidJsonWebKeyTypeException.cs b/src/JWT/Exceptions/InvalidJsonWebKeyTypeException.cs
@@ -0,0 +1,13 @@
+using System;
+
+namespace JWT.Exceptions
+{
+    public class InvalidJsonWebKeyTypeException : ArgumentOutOfRangeException
+    {
+        public InvalidJsonWebKeyTypeException(string keyType)
+            : base($"{keyType} is not defined in RFC7518")
+        {
+
+        }
+    }
+}
diff --git a/src/JWT/IJwtValidator.cs b/src/JWT/IJwtValidator.cs
@@ -28,6 +28,19 @@ public interface IJwtValidator
         /// <param name="decodedSignature">The signature to validate with</param>
         void Validate(string decodedPayload, IAsymmetricAlgorithm alg, byte[] bytesToSign, byte[] decodedSignature);
 
+        /// <summary>
+        /// Given the JWT, verifies its signature correctness.
+        /// </summary>
+        /// <remarks>
+        /// Used by the symmetric algorithms only.
+        /// </remarks>
+        /// <param name="keys">The keys provided which one of them was used to sign the JWT</param>
+        /// <param name="decodedPayload"></param>
+        /// <param name="alg"></param>
+        /// <param name="bytesToSign"></param>
+        /// <param name="decodedSignature"></param>
+        void Validate(byte[][] keys, string decodedPayload, ISymmetricAlgorithm alg, byte[] bytesToSign, byte[] decodedSignature);
+
         /// <summary>
         /// Given the JWT, verifies its signature correctness without throwing an exception but returning it instead.
         /// </summary>

diff --git a/src/JWT/JWT.csproj b/src/JWT/JWT.csproj
@@ -28,7 +28,7 @@
   </PropertyGroup>
 
   <PropertyGroup>
-    <Version>11.0.0-beta2</Version>
+    <Version>11.0.0-beta3</Version>
     <FileVersion>11.0.0.0</FileVersion>
     <AssemblyVersion>11.0.0.0</AssemblyVersion>
   </PropertyGroup>

diff --git a/src/JWT/Jwk/IJwtWebKeysCollection.cs b/src/JWT/Jwk/IJwtWebKeysCollection.cs
@@ -0,0 +1,7 @@
+namespace JWT.Jwk
+{
+    public interface IJwtWebKeysCollection
+    {
+        JwtWebKey Find(string keyId);
+    }
+}
diff --git a/src/JWT/Jwk/IJwtWebKeysCollectionFactory.cs b/src/JWT/Jwk/IJwtWebKeysCollectionFactory.cs
@@ -0,0 +1,6 @@
+namespace JWT.Jwk;
+
+public interface IJwtWebKeysCollectionFactory
+{
+    JwtWebKeysCollection CreateKeys();
+}