Skip to content

Commit

Permalink
Add Eddsa signature validation algorithms. fix AzureAD#2426
Browse files Browse the repository at this point in the history
  • Loading branch information
@wparad
wparad committed Dec 15, 2023
1 parent 8cc08dc commit 566effe
Show file tree
Hide file tree
Showing 4 changed files with 54 additions and 2 deletions.
14 changes: 12 additions & 2 deletions src/Microsoft.IdentityModel.Tokens/AsymmetricSignatureProvider.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,12 @@ public class AsymmetricSignatureProvider : SignatureProvider
{ SecurityAlgorithms.RsaSsaPssSha512, 1040 },
{ SecurityAlgorithms.RsaSsaPssSha256Signature, 528 },
{ SecurityAlgorithms.RsaSsaPssSha384Signature, 784 },
{ SecurityAlgorithms.RsaSsaPssSha512Signature, 1040 }
{ SecurityAlgorithms.RsaSsaPssSha512Signature, 1040 },
{ SecurityAlgorithms.EddsaEd25519Signature, 256 },
{ SecurityAlgorithms.EddsaEd25519Sha512Signature, 256 },
{ SecurityAlgorithms.EddsaEd25519WithContextSignature, 256 },
{ SecurityAlgorithms.EddsaEd448Signature, 456 },
{ SecurityAlgorithms.EddsaEd25519Shake256Signature, 456 },
};

/// <summary>
Expand All @@ -66,7 +71,12 @@ public class AsymmetricSignatureProvider : SignatureProvider
{ SecurityAlgorithms.RsaSsaPssSha512, 1040 },
{ SecurityAlgorithms.RsaSsaPssSha256Signature, 528 },
{ SecurityAlgorithms.RsaSsaPssSha384Signature, 784 },
{ SecurityAlgorithms.RsaSsaPssSha512Signature, 1040 }
{ SecurityAlgorithms.RsaSsaPssSha512Signature, 1040 },
{ SecurityAlgorithms.EddsaEd25519Signature, 256 },
{ SecurityAlgorithms.EddsaEd25519Sha512Signature, 256 },
{ SecurityAlgorithms.EddsaEd25519WithContextSignature, 256 },
{ SecurityAlgorithms.EddsaEd448Signature, 456 },
{ SecurityAlgorithms.EddsaEd25519Shake256Signature, 456 },
};

internal AsymmetricSignatureProvider(SecurityKey key, string algorithm, CryptoProviderFactory cryptoProviderFactory)
Expand Down
10 changes: 10 additions & 0 deletions src/Microsoft.IdentityModel.Tokens/SecurityAlgorithms.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,16 @@ public static class SecurityAlgorithms

// See: https://datatracker.ietf.org/doc/html/rfc7518#section-4.6
public const string EcdhEs = "ECDH-ES";

// See: https://www.rfc-editor.org/rfc/rfc9231.html#name-edwards-curve
public const string EddsaEd25519Signature = "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519";
public const string EddsaEd25519Sha512Signature = "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519ph";
public const string EddsaEd25519WithContextSignature = "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519ctx";
public const string EddsaEd448Signature = " http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448";
public const string EddsaEd25519Shake256Signature = "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448ph";

// See: https://datatracker.ietf.org/doc/html/rfc8032
public const string Eddsa = "EdDSA";
#pragma warning restore 1591
}
}
26 changes: 26 additions & 0 deletions src/Microsoft.IdentityModel.Tokens/SupportedAlgorithms.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,16 @@ internal static class SupportedAlgorithms
SecurityAlgorithms.RsaSsaPssSha512Signature
};

internal static readonly ICollection<string> EddsaSigningAlgorithms = new Collection<string>
{
SecurityAlgorithms.EdDSA,
SecurityAlgorithms.EddsaEd25519Signature,
SecurityAlgorithms.EddsaEd25519Sha512Signature,
SecurityAlgorithms.EddsaEd25519WithContextSignature,
SecurityAlgorithms.EddsaEd448Signature,
SecurityAlgorithms.EddsaEd25519Shake256Signature
};

internal static readonly ICollection<string> SymmetricEncryptionAlgorithms = new Collection<string>
{
SecurityAlgorithms.Aes128CbcHmacSha256,
Expand Down Expand Up @@ -215,6 +225,10 @@ public static bool IsSupportedAlgorithm(string algorithm, SecurityKey key)
if (key as RsaSecurityKey != null)
return IsSupportedRsaAlgorithm(algorithm, key);

if (key as EddsaSecurityKey != null) {
return IsSupportedEddsaAlgorithm(algorithm, key);
}

if (key is X509SecurityKey x509Key)
{
// only RSA keys are supported
Expand Down Expand Up @@ -333,6 +347,10 @@ internal static bool IsSupportedRsaAlgorithm(string algorithm, SecurityKey key)
|| (RsaPssSigningAlgorithms.Contains(algorithm) && IsSupportedRsaPss(key));
}

internal static bool IsSupportedEddsaAlgorithm(string algorithm, EddsaSecurityKey key) {
return EddsaSigningAlgorithms.Contains(algorithm);
}

private static bool IsSupportedRsaPss(SecurityKey key)
{
// RSACryptoServiceProvider doesn't support RSA-PSS
Expand Down Expand Up @@ -396,6 +414,14 @@ SecurityAlgorithms.RsaSsaPssSha512 or
SecurityAlgorithms.RsaSsaPssSha512Signature or
SecurityAlgorithms.RsaSha512Signature => 1024,

SecurityAlgorithms.EdDSA or
SecurityAlgorithms.EddsaEd25519Signature or
SecurityAlgorithms.EddsaEd25519Sha512Signature or
SecurityAlgorithms.EddsaEd25519WithContextSignature => 512,

SecurityAlgorithms.EddsaEd448Signature or
SecurityAlgorithms.EddsaEd25519Shake256Signature => 912,

// if we don't know the algorithm, report 2K twice as big as any known algorithm.
_ => 2048,
};
Expand Down
6 changes: 6 additions & 0 deletions src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,12 @@ public class JwtSecurityTokenHandler : SecurityTokenHandler
{ SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.RsaSha256 },
{ SecurityAlgorithms.RsaSha384Signature, SecurityAlgorithms.RsaSha384 },
{ SecurityAlgorithms.RsaSha512Signature, SecurityAlgorithms.RsaSha512 },

{ SecurityAlgorithms.EddsaEd25519Signature, SecurityAlgorithms.EdDSA },
{ SecurityAlgorithms.EddsaEd25519Sha512Signature, SecurityAlgorithms.EdDSA },
{ SecurityAlgorithms.EddsaEd25519WithContextSignature, SecurityAlgorithms.EdDSA },
{ SecurityAlgorithms.EddsaEd448Signature, SecurityAlgorithms.EdDSA },
{ SecurityAlgorithms.EddsaEd25519Shake256Signature, SecurityAlgorithms.EdDSA },
};

/// <summary>
Expand Down

0 comments on commit 566effe

Please sign in to comment.