Moved EncryptionSetting into own class

3a86e4f2 · Klaus Fischer · a24af9f4 · 3a86e4f2 · 3a86e4f2 · 3a86e4f2
Commit 3a86e4f2 authored 2 years ago by Klaus Fischer
--- a/FitConnect/Encryption/CertificateHelper.cs
+++ b/FitConnect/Encryption/CertificateHelper.cs
@@ -107,9 +107,9 @@ public class CertificateHelper {

 public static class CertificateExtensions {
    public static bool MatchesFitConnectRequirements(this JsonWebKey key) {
-        return key.X5c.Count == 3
-               && key.KeySize == 4096
-               && (key.Alg == "PS512" || key.Alg == "RSA-OAEP-256")
-               && (key.KeyOps.Contains("wrapKey") || key.KeyOps.Contains("verify"));
+        return key.X5c.Count == EncryptionSettings.CertificateChainLength
+               && key.KeySize == EncryptionSettings.MinKeySize
+               && (key.Alg == EncryptionSettings.SigningAlgorithm || key.Alg == EncryptionSettings.EncryptionAlgorithm)
+               && (key.KeyOps.Contains(EncryptionSettings.KeyOpsWrapKey) || key.KeyOps.Contains(EncryptionSettings.KeyOpsVerify));
    }
 }
--- a/FitConnect/Encryption/EncryptionSettings.cs
+++ b/FitConnect/Encryption/EncryptionSettings.cs
+using Jose;
+
+namespace FitConnect.Encryption;
+
+public static class EncryptionSettings {
+    public static readonly int CertificateChainLength = 3;
+    public static readonly string SigningAlgorithm = "PS512";
+    public static readonly string EncryptionAlgorithm = "RSA-OAEP-256";
+    public static readonly string JwtHeaderType = "secevent+jwt";
+    public static readonly string ShaType = "sha512";
+    public static readonly IEnumerable<string> ValidTokenAlgorithms = new[] { "PS512" };
+    public static readonly int MinKeySize = 4096;
+    public static readonly string KeyOpsWrapKey = "wrapKey";
+    public static readonly string KeyOpsVerify = "verify";
+    
+    public const JweEncryption Encryption = JweEncryption.A256GCM;
+    public const JweCompression Compression = JweCompression.DEF;
+    public const JweAlgorithm Algorithm = JweAlgorithm.RSA_OAEP_256;
+    public const SerializationMode SerializationMode = Jose.SerializationMode.Compact;
+}
--- a/FitConnect/Encryption/FitEncryption.cs
+++ b/FitConnect/Encryption/FitEncryption.cs
 using System.IdentityModel.Tokens.Jwt;
+using System.Security;
 using System.Security.Cryptography;
 using System.Text;
 using FitConnect.Models;
@@ -129,7 +130,8 @@ public class FitEncryption {
    }


-    public async Task<string> CreateAcceptSecurityEventToken(Submission submission, IEnumerable<Problems>? problems) {
+    public async Task<string> CreateAcceptSecurityEventToken(Submission submission,
+        IEnumerable<Problems>? problems) {
        var payload = GenerateAuthenticationTags(submission);
        return await CreateSecurityEventToken(submission.Id, submission.CaseId,
            submission.DestinationId,
@@ -148,12 +150,12 @@ public class FitEncryption {
        var subject = "submission:" + submissionId;

        _jwtHeader =
-            new JwtHeader(new SigningCredentials(signingKey, "PS512"));
+            new JwtHeader(new SigningCredentials(signingKey, EncryptionSettings.SigningAlgorithm));

        JsonExtensions.Serializer = JsonConvert.SerializeObject;
        JsonExtensions.Deserializer = JsonConvert.DeserializeObject;

-        _jwtHeader["typ"] = "secevent+jwt";
+        _jwtHeader["typ"] = EncryptionSettings.JwtHeaderType;

        var jwtPayload = new JwtPayload {
            { "sub", subject },
@@ -192,14 +194,14 @@ public class FitEncryption {

    public static DataHash CalculateHash(string data) {
        return new DataHash {
-            Type = "sha512",
+            Type = EncryptionSettings.ShaType,
            Content = ByteToHexString(SHA512.Create().ComputeHash(Encoding.UTF8.GetBytes(data)))
        };
    }

    public static DataHash CalculateHash(byte[] data) {
        return new DataHash {
-            Type = "sha512",
+            Type = EncryptionSettings.ShaType,
            Content = ByteToHexString(SHA512.Create().ComputeHash(data))
        };
    }
@@ -238,11 +240,11 @@ public class FitEncryption {

        logger?.LogTrace("Verifying JWT {Token}", signature);

-        if (key.KeySize != 4096)
-            throw new Exception("Key size must be 4096");
+        if (key.KeySize != EncryptionSettings.MinKeySize)
+            throw new SecurityException($"Key size must be {EncryptionSettings.MinKeySize}");

        var result = tokenHandler.ValidateToken(signature, new TokenValidationParameters {
-            ValidAlgorithms = new[] { "PS512" },
+            ValidAlgorithms = EncryptionSettings.ValidTokenAlgorithms,
            IssuerSigningKey = key,
            ValidateIssuerSigningKey = true,
            ValidateIssuer = false,

--- a/FitConnect/Encryption/JoseEncryptor.cs
+++ b/FitConnect/Encryption/JoseEncryptor.cs
@@ -5,10 +5,7 @@ using Jose;
 namespace FitConnect.Encryption;

 public class JoseEncryptor : IEncryptor {
-    private const JweEncryption Encryption = JweEncryption.A256GCM;
-    private const JweCompression Compression = JweCompression.DEF;
-    private const JweAlgorithm Algorithm = JweAlgorithm.RSA_OAEP_256;
-    private const SerializationMode SerializationMode = Jose.SerializationMode.Compact;
+

    private const string ErrorMessage =
        "On macOS add DYLD_LIBRARY_PATH to your environment variables. Look at the README for more information.";
@@ -28,16 +25,16 @@ public class JoseEncryptor : IEncryptor {
    public string Encrypt(string key, string plain) {
        try {
            var jwk = Jwk.FromJson(key, new JsonMapper());
-            if (!jwk.KeyOps.Contains("wrapKey"))
+            if (!jwk.KeyOps.Contains(EncryptionSettings.KeyOpsWrapKey))
                throw new EncryptionException("Key can not be used for encryption");
            return JWE.Encrypt(plain,
-                new JweRecipient[] { new(Algorithm, jwk) },
-                Encryption,
-                compression: Compression,
-                mode: SerializationMode,
+                new JweRecipient[] { new(EncryptionSettings.Algorithm, jwk) },
+                EncryptionSettings.Encryption,
+                compression: EncryptionSettings.Compression,
+                mode: EncryptionSettings.SerializationMode,
                extraProtectedHeaders: new Dictionary<string, object> {
                    { "kid", jwk.KeyId },
-                    { "cty", "application/json" }
+                    { "cty", System.Net.Mime.MediaTypeNames.Application.Json }
                }
            );
        }
@@ -50,13 +47,13 @@ public class JoseEncryptor : IEncryptor {
        try {
            var jwk = Jwk.FromJson(key, new JsonMapper());
            return JWE.EncryptBytes(plain,
-                new JweRecipient[] { new(Algorithm, jwk) },
-                Encryption,
-                compression: Compression,
-                mode: SerializationMode,
+                new JweRecipient[] { new(EncryptionSettings.Algorithm, jwk) },
+                EncryptionSettings. Encryption,
+                compression: EncryptionSettings.Compression,
+                mode: EncryptionSettings.SerializationMode,
                extraProtectedHeaders: new Dictionary<string, object> {
                    { "kid", jwk.KeyId },
-                    { "cty", "application/json" }
+                    { "cty", System.Net.Mime.MediaTypeNames.Application.Json }
                }
            );
        }
@@ -66,7 +63,7 @@ public class JoseEncryptor : IEncryptor {
    }

    private (string plainText, byte[] plainBytes, byte[] tag) Decrypt(Jwk key, string payload) {
-        var result = JWE.Decrypt(payload, key, Algorithm, Encryption);
+        var result = JWE.Decrypt(payload, key, EncryptionSettings.Algorithm, EncryptionSettings.Encryption);

        return (result.Plaintext, result.PlaintextBytes, result.AuthTag);
    }