Add X509EncryptedCredentials class

* If only the certificate is provided, key wrap encryption algorithm
and data encryption algorithm will be set by default to RsaOaepKeyWrap
and A128CBC-HS256, respectively.

* Add internal const strings DefaultAsymmetricKeyWrapAlgorithm and
DefaultSymmetricAlgorithm to indicate the default algorithms used for
encryption

* Add new ctor to EncryptingCredentials to allow users to pass
only a 'shared' symmetric key which will be used to encrypt data, but
it will not be serialized to a SAML token.

* Add protected ctor to EncryptingCredentials to check if a certificate
passed to X509EncryptedCredentials is null. Provides cleaner stack
trace in case of an exception caused by a null cert.

* Refactor EncryptingCredentials so null/empty checks are moved
to setters

Resolves: #995
See also: #734

Author: GeoK

src/Microsoft.IdentityModel.Tokens/EncryptingCredentials.cs

@@ -25,6 +25,8 @@
 //
 //------------------------------------------------------------------------------
 
+using System;
+using System.Security.Cryptography.X509Certificates;
 using Microsoft.IdentityModel.Logging;
 
 namespace Microsoft.IdentityModel.Tokens
@@ -34,58 +36,98 @@ namespace Microsoft.IdentityModel.Tokens
     /// </summary>
     public class EncryptingCredentials
     {
+        private string _alg;
+        private string _enc;
+        private SecurityKey _key;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="EncryptingCredentials"/> class.
+        /// </summary>
+        /// <param name="certificate"><see cref="X509Certificate2"/>.</param>
+        /// <param name="alg">Key encryption algorithm to apply.</param>
+        /// <param name="enc">Data encryption algorithm to apply.</param>
+        /// <exception cref="ArgumentNullException">if 'certificate' is null.</exception>
+        /// <exception cref="ArgumentNullException">if 'alg' is null or empty.</exception>
+        /// <exception cref="ArgumentNullException">if 'enc' is null or empty.</exception>
+        protected EncryptingCredentials(X509Certificate2 certificate, string alg, string enc)
+        {
+            if (certificate == null)
+                throw LogHelper.LogArgumentNullException(nameof(certificate));
+
+            Key = new X509SecurityKey(certificate);
+            Alg = alg;
+            Enc = enc;
+        }
+
         /// <summary>
         /// Initializes a new instance of the <see cref="EncryptingCredentials"/> class.
         /// </summary>
         /// <param name="key"><see cref="SecurityKey"/></param>
-        /// <param name="alg">The key encryption algorithm to apply.</param>
-        /// <param name="enc">The encryption algorithm to apply.</param>
+        /// <param name="alg">Key encryption algorithm to apply.</param>
+        /// <param name="enc">Data encryption algorithm to apply.</param>
+        /// <exception cref="ArgumentNullException">if 'key' is null.</exception>
+        /// <exception cref="ArgumentNullException">if 'alg' is null or empty.</exception>
+        /// <exception cref="ArgumentNullException">if 'enc' is null or empty.</exception>
         public EncryptingCredentials(SecurityKey key, string alg, string enc)
         {
-            if (key == null)
-                throw LogHelper.LogArgumentNullException(nameof(key));
+            Key = key;
+            Alg = alg;
+            Enc = enc;
+        }
 
-            if (string.IsNullOrWhiteSpace(alg))
-                throw LogHelper.LogArgumentNullException(nameof(alg));
+        /// <summary>
+        /// Initializes a new instance of the <see cref="EncryptingCredentials"/> class.
+        /// </summary>
+        /// <remarks> Used in scenarios when a key represents a 'shared' symmetric key.
+        /// For example, SAML 2.0 Assertion will be encrypted using a provided symmetric key
+        /// which won't be serialized to a SAML token.
+        /// </remarks>
+        /// <param name="key"><see cref="SecurityKey"/></param>
+        /// <param name="enc">Data encryption algorithm to apply</param>
+        /// <exception cref="ArgumentException">If the <see cref="SecurityKey"/> is not <see cref="SymmetricSecurityKey"/>.</exception>
+        /// <exception cref="ArgumentNullException">if 'enc' is null or empty.</exception>
+        public EncryptingCredentials(SecurityKey key, string enc)
+        {
+            Key = key;
 
-            if (string.IsNullOrWhiteSpace(enc))
-                throw LogHelper.LogArgumentNullException(nameof(enc));
+            if (key.GetType() != typeof(SymmetricSecurityKey))
+                throw LogHelper.LogArgumentException<ArgumentException>("key", LogMessages.IDX10704);
 
-            Alg = alg;
+            //explicitly setting Alg to None
+            Alg = SecurityAlgorithms.None;
             Enc = enc;
-            Key = key;
         }
 
         /// <summary>
         /// Gets the algorithm which used for token encryption.
         /// </summary>
         public string Alg
         {
-            get;
-            private set;
+            get => _alg;
+            private set => _alg = string.IsNullOrEmpty(value) ? throw LogHelper.LogArgumentNullException("alg") : value;
         }
 
         /// <summary>
         /// Gets the algorithm which used for token encryption.
         /// </summary>
         public string Enc
         {
-            get;
-            private set;
+            get => _enc;
+            private set => _enc = string.IsNullOrEmpty(value) ? throw LogHelper.LogArgumentNullException("enc") : value;
         }
 
         /// <summary>
-        /// Users can override the default <see cref="CryptoProviderFactory"/> with this property. This factory will be used for creating encryition providers.
+        /// Users can override the default <see cref="CryptoProviderFactory"/> with this property. This factory will be used for creating encryption providers.
         /// </summary>
         public CryptoProviderFactory CryptoProviderFactory { get; set; }
 
         /// <summary>
-        /// Gets the <see cref="SecurityKey"/> which used for signature valdiation.
+        /// Gets the <see cref="SecurityKey"/> which used for signature validation.
         /// </summary>
         public SecurityKey Key
         {
-            get;
-            private set;
+            get => _key;
+            private set => _key = value ?? throw LogHelper.LogArgumentNullException("key");
         }
     }
 }

src/Microsoft.IdentityModel.Tokens/LogMessages.cs

@@ -178,6 +178,7 @@ internal static class LogMessages
         public const string IDX10701 = "IDX10701: Invalid JsonWebKey rsa keying material: '{0}'. Both modulus and exponent should be present";
         public const string IDX10702 = "IDX10702: One or more private RSA key parts are null in the JsonWebKey: '{0}'";
         public const string IDX10703 = "IDX10703: Cannot create symmetric security key. Key length is zero.";
+        public const string IDX10704 = "IDX10704: The SecurityKey provided is not a SymmetricSecurityKey.";
 
         // Json specific errors
         public const string IDX10801 = "IDX10801: Unable to create an RSA public key from the Exponent and Modulus found in the JsonWebKey: E: '{0}', N: '{1}'. See inner exception for additional details.";

src/Microsoft.IdentityModel.Tokens/SecurityAlgorithms.cs

@@ -113,6 +113,9 @@ public static class SecurityAlgorithms
         public const string Aes192CbcHmacSha384 = "A192CBC-HS384";
         public const string Aes256CbcHmacSha512 = "A256CBC-HS512";
 
+        internal const string DefaultAsymmetricKeyWrapAlgorithm = RsaOaepKeyWrap;
+        internal const string DefaultSymmetricAlgorithm = Aes128CbcHmacSha256;
+
 #pragma warning restore 1591
     }
 }

src/Microsoft.IdentityModel.Tokens/X509EncryptingCredentials.cs

@@ -0,0 +1,77 @@
+//------------------------------------------------------------------------------
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+//------------------------------------------------------------------------------
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.IdentityModel.Tokens
+{
+    /// <summary>
+    /// An <see cref="X509EncryptingCredentials"/> designed for to construct an <see cref="EncryptingCredentials"/> based on a x509 certificate.
+    /// </summary>
+    public class X509EncryptingCredentials : EncryptingCredentials
+    {
+        /// <summary>
+        /// Constructs an <see cref="EncryptingCredentials"/> based on a x509 certificate.
+        /// </summary>
+        /// <param name="certificate">A <see cref="X509Certificate2"/></param>
+        /// <remarks>
+        /// <see cref="SecurityAlgorithms.DefaultAsymmetricKeyWrapAlgorithm"/> algorithm will be used by default as a key wrap encryption algorithm
+        /// <see cref="SecurityAlgorithms.DefaultSymmetricAlgorithm"/> algorithm will be used by default as a data encryption algorithm
+        /// </remarks>
+        /// <exception cref="ArgumentNullException">if 'certificate' is null.</exception>
+        public X509EncryptingCredentials(X509Certificate2 certificate)
+            : this(certificate, SecurityAlgorithms.DefaultAsymmetricKeyWrapAlgorithm, SecurityAlgorithms.DefaultSymmetricAlgorithm)
+        {
+
+        }
+
+        /// <summary>
+        /// Constructs an <see cref="EncryptingCredentials"/> based on the x509 certificate, key wrapping algorithm, and data encryption algorithm.
+        /// </summary>
+        /// <param name="certificate">A <see cref="X509Certificate2"/></param>
+        /// <param name="keyWrapEncryptionAlgorithm">A key wrapping algorithm</param>
+        /// <param name="dataEncryptionAlgorithm">A data encryption algorithm</param>
+        /// <exception cref="ArgumentNullException">if 'certificate' is null.</exception>
+        /// <exception cref="ArgumentNullException">if 'keyWrapEncryptionAlgorithm' is null or empty.</exception>
+        /// <exception cref="ArgumentNullException">if 'dataEncryptionAlgorithm' is null or empty.</exception>
+        public X509EncryptingCredentials(X509Certificate2 certificate, string keyWrapEncryptionAlgorithm, string dataEncryptionAlgorithm)
+            : base(new X509SecurityKey(certificate), keyWrapEncryptionAlgorithm, dataEncryptionAlgorithm)
+        {
+            Certificate = certificate;
+        }
+
+        /// <summary>
+        /// Gets a <see cref="X509Certificate2"/> used by this instance.
+        /// </summary>
+        public X509Certificate2 Certificate
+        {
+            get;
+            private set;
+        }
+    }
+}