Add Windows support for AESGCM EncryptingCredentials #2083
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anblanco
commented
May 18, 2023
| else | ||
| throw LogHelper.LogExceptionMessage( | ||
| new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10617, LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes128CbcHmacSha256), LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes192CbcHmacSha384), LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes256CbcHmacSha512), LogHelper.MarkAsNonPII(encryptingCredentials.Enc)))); |
There was a problem hiding this comment.
Even if I provide a custom CryptoProviderFactory with my own implementation of AuthenticatedEncryptionProvider, this code still throws and prevents me from creating tokens of type AESGCM
One alternate approach would be to have two separate PRs:
-
Enable support for AES-GCM with custom CryptoProviderFactory. This would allow consumers of the API to plug-in their own AuthenticatedEncryptionProvider (e.g. Windows Interop / .NET AES GCM)
-
A separate PR that adds support for AES-GCM Encryption. Later .NET APIs have a cross-platform API to call, but folks on .NET Framework would need to use Windows Interop
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit adds Windows support for specifying AESGCM algorithms for
EncryptingCredentials.The motivation is described in #2081
Notably #1606 first added support for AESGCM Decryption, but throws a
NotSupportedExceptionwhen attempting to create a newEncryptingCredentials. It also adds a testing class that supports Encryption / Decryption, but I don't have the full context on why encryption was excluded from production code given that decryption works as expected. Alternatively I wouldn't mind overloadingCryptoProvider/AuthenticatedEncryptionProviderwith the Windows-specific Interop for my use case (.NET Framework), but these types are made internal to the library.Uses the existing Windows Interop for OS Support of the encryption algorithm.