Merge pull request #2 from filipw/keymanager

Added support for automatic key management

Author: filipw

samples/IdentityServer/HostingExtensions.cs

@@ -1,13 +1,9 @@
-using System.Reflection;
 using System.Text.Json;
-using Duende.IdentityServer;
-using Duende.IdentityServer.Models;
+using Duende.IdentityServer.Configuration;
 using Duende.IdentityServer.ResponseHandling;
-using Duende.IdentityServer.Services;
-using Duende.IdentityServer.Stores;
-using Microsoft.IdentityModel.Tokens;
+using Duende.IdentityServer.Services.KeyManagement;
 using Strathweb.Dilithium.DuendeIdentityServer;
-using Strathweb.Dilithium.IdentityModel;
+using Strathweb.Dilithium.DuendeIdentityServer.KeyManagement;
 using JsonWebKey = Microsoft.IdentityModel.Tokens.JsonWebKey;
 
 namespace IdentityServer;
@@ -16,12 +12,16 @@ internal static class HostingExtensions
 {
     public static WebApplication ConfigureServices(this WebApplicationBuilder builder)
     {
-        var rawJwk = File.ReadAllText(Path.Combine(Directory.GetCurrentDirectory(), "crydi3.json"));
-        var jwk = JsonSerializer.Deserialize<JsonWebKey>(rawJwk);
+        //var rawJwk = File.ReadAllText(Path.Combine(Directory.GetCurrentDirectory(), "crydi3.json"));
+        //var jwk = JsonSerializer.Deserialize<JsonWebKey>(rawJwk);
 
-        builder.Services.AddIdentityServer(opt => opt.EmitStaticAudienceClaim = true)
-            //.AddDilithiumSigningCredential(new DilithiumSecurityKey("CRYDI3")) // new key per startup
-            .AddDilithiumSigningCredential(new DilithiumSecurityKey(jwk)) // key from the filesystem
+        builder.Services.AddIdentityServer(opt =>
+            {
+                opt.EmitStaticAudienceClaim = true;
+            })
+            .AddDilithiumSupport() // automatic key management
+            //.AddDilithiumSigningCredential(new DilithiumSecurityKey("CRYDI3")) // new fixed key per startup
+            //.AddDilithiumSigningCredential(new DilithiumSecurityKey(jwk)) // fixed key from the filesystem / storage
             .AddInMemoryApiScopes(Config.ApiScopes)
             .AddInMemoryApiResources(Config.ApiResources)
             .AddInMemoryClients(Config.Clients);

samples/IdentityServer/IdentityServer.csproj

@@ -12,4 +12,8 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\Strathweb.Dilithium.DuendeIdentityServer\Strathweb.Dilithium.DuendeIdentityServer.csproj" />
   </ItemGroup>
+  
+  <ItemGroup>
+    <_ContentIncludedByDefault Remove="keys\is-signing-key-30F471175932A17FAD74ABFBE856E9AA.json" />
+  </ItemGroup>
 </Project>

src/Strathweb.Dilithium.DuendeIdentityServer/DilithiumIdentityServerExtensions.cs

@@ -1,15 +1,77 @@
 using System.Text.Json;
+using Duende.IdentityServer.Configuration;
 using Duende.IdentityServer.Models;
+using Duende.IdentityServer.ResponseHandling;
+using Duende.IdentityServer.Services.KeyManagement;
 using Duende.IdentityServer.Stores;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.IdentityModel.Tokens;
+using Strathweb.Dilithium.DuendeIdentityServer.KeyManagement;
 using Strathweb.Dilithium.IdentityModel;
 using JsonWebKey = Microsoft.IdentityModel.Tokens.JsonWebKey;
 
 namespace Strathweb.Dilithium.DuendeIdentityServer;
 
 public static class DilithiumIdentityServerExtensions
 {
+    public static IIdentityServerBuilder AddDilithiumSupport(this IIdentityServerBuilder builder)
+    {
+        return builder.AddDilithiumSupport(new DilithiumSupportOptions());
+    }
+    
+    public static IIdentityServerBuilder AddDilithiumSupport(this IIdentityServerBuilder builder, DilithiumSupportOptions dilithiumSupportOptions)
+    {
+        if (builder == null) throw new ArgumentNullException(nameof(builder));
+        if (dilithiumSupportOptions == null) throw new ArgumentNullException(nameof(dilithiumSupportOptions));
+        
+        if (dilithiumSupportOptions.EnableKeyManagement)
+        {
+            if (dilithiumSupportOptions.StaticKey != null)
+            {
+                throw new ArgumentException(
+                    "It is not possible to use both automatic key management and a static key. Choose one or the other.");
+            }
+            
+            if (dilithiumSupportOptions.KeyManagementAlgorithm != "CRYDI2" && dilithiumSupportOptions.KeyManagementAlgorithm != "CRYDI3" && dilithiumSupportOptions.KeyManagementAlgorithm != "CRYDI5")
+            {
+                throw new NotSupportedException(
+                    $"Algorithm {dilithiumSupportOptions.KeyManagementAlgorithm} is not supported. Supported algorithms: CRYDI2, CRYDI3 and CRYDI5.");
+            }
+            
+            if (dilithiumSupportOptions.DisallowNonDilithiumKeys)
+            {
+                builder.Services.Configure((IdentityServerOptions identityServerOptions) =>
+                {
+                    identityServerOptions.KeyManagement.Enabled = true;
+                    identityServerOptions.KeyManagement.SigningAlgorithms = new[]
+                    {
+                        new SigningAlgorithmOptions(dilithiumSupportOptions.KeyManagementAlgorithm)
+                    };
+                });
+            }
+            else
+            {
+                builder.Services.Configure((IdentityServerOptions identityServerOptions) =>
+                {
+                    identityServerOptions.KeyManagement.Enabled = true;
+                    var configuredAlgorithms = identityServerOptions.KeyManagement.SigningAlgorithms.ToList();
+                    configuredAlgorithms.Add(
+                        new SigningAlgorithmOptions(dilithiumSupportOptions.KeyManagementAlgorithm));
+                    identityServerOptions.KeyManagement.SigningAlgorithms = configuredAlgorithms;
+                });
+            }
+            builder.Services.AddTransient<IKeyManager, DilithiumKeyManager>();
+            builder.Services.AddTransient<ISigningKeyProtector, DilithiumDataProtectionKeyProtector>();
+            builder.Services.AddTransient<IDiscoveryResponseGenerator, DilithiumAwareDiscoveryResponseGenerator>();
+        } 
+        else if (dilithiumSupportOptions.StaticKey is { } fixedKey)
+        {
+            builder.AddDilithiumSigningCredential(fixedKey);
+        }
+
+        return builder;
+    }
+    
     public static IIdentityServerBuilder AddDilithiumSigningCredential(this IIdentityServerBuilder builder, DilithiumSecurityKey securityKey)
     {
         var credential = new SigningCredentials(securityKey, securityKey.SupportedAlgorithm);

src/Strathweb.Dilithium.DuendeIdentityServer/DilithiumSupportOptions.cs

@@ -0,0 +1,14 @@
+using Strathweb.Dilithium.IdentityModel;
+
+namespace Strathweb.Dilithium.DuendeIdentityServer;
+
+public class DilithiumSupportOptions
+{
+    public bool EnableKeyManagement { get; set; } = true;
+
+    public string KeyManagementAlgorithm { get; set; } = "CRYDI3";
+
+    public bool DisallowNonDilithiumKeys { get; set; } = true;
+    
+    public DilithiumSecurityKey? StaticKey { get; set; }
+}

src/Strathweb.Dilithium.DuendeIdentityServer/KeyManagement/DilithiumAwareDiscoveryResponseGenerator.cs

@@ -0,0 +1,45 @@
+using Duende.IdentityServer.Configuration;
+using Duende.IdentityServer.Models;
+using Duende.IdentityServer.ResponseHandling;
+using Duende.IdentityServer.Services;
+using Duende.IdentityServer.Stores;
+using Duende.IdentityServer.Validation;
+using Microsoft.Extensions.Logging;
+using Strathweb.Dilithium.IdentityModel;
+
+namespace Strathweb.Dilithium.DuendeIdentityServer.KeyManagement;
+
+public class DilithiumAwareDiscoveryResponseGenerator : DiscoveryResponseGenerator
+{
+    public DilithiumAwareDiscoveryResponseGenerator(IdentityServerOptions options, IResourceStore resourceStore, IKeyMaterialService keys, ExtensionGrantValidator extensionGrants, ISecretsListParser secretParsers, IResourceOwnerPasswordValidator resourceOwnerValidator, ILogger<DiscoveryResponseGenerator> logger) : base(options, resourceStore, keys, extensionGrants, secretParsers, resourceOwnerValidator, logger)
+    {
+    }
+
+    public override async Task<IEnumerable<JsonWebKey>> CreateJwkDocumentAsync()
+    {
+        var publishedKeys = (await base.CreateJwkDocumentAsync()).ToList();
+        var dilithiumKeys = (await Keys.GetValidationKeysAsync()).Where(key => key.Key is DilithiumSecurityKey);
+
+        foreach (var dilithiumKey in dilithiumKeys)
+        {
+            var jsonWebKey = (dilithiumKey.Key as DilithiumSecurityKey)?.ToJsonWebKey(includePrivateKey: false);
+            var webKey = new JsonWebKey
+            {
+                kty = jsonWebKey.Kty,
+                use = jsonWebKey.Use ?? "sig",
+                kid = jsonWebKey.Kid,
+                x5t = jsonWebKey.X5t,
+                e = jsonWebKey.E,
+                n = jsonWebKey.N,
+                x5c = jsonWebKey.X5c?.Count == 0 ? null : jsonWebKey.X5c.ToArray(),
+                alg = jsonWebKey.Alg,
+                crv = jsonWebKey.Crv,
+                x = jsonWebKey.X,
+                y = jsonWebKey.Y
+            };
+            publishedKeys.Add(webKey);
+        }
+
+        return publishedKeys;
+    }
+}

src/Strathweb.Dilithium.DuendeIdentityServer/KeyManagement/DilithiumDataProtectionKeyProtector.cs

@@ -0,0 +1,69 @@
+using Duende.IdentityServer.Configuration;
+using Duende.IdentityServer.Models;
+using Duende.IdentityServer.Services.KeyManagement;
+using Microsoft.AspNetCore.DataProtection;
+
+namespace Strathweb.Dilithium.DuendeIdentityServer.KeyManagement;
+
+public class DilithiumDataProtectionKeyProtector : ISigningKeyProtector
+{
+    private readonly IDataProtector _dataProtectionProvider;
+    private readonly KeyManagementOptions _options;
+
+    public DilithiumDataProtectionKeyProtector(KeyManagementOptions options, IDataProtectionProvider dataProtectionProvider)
+    {
+        _options = options;
+        _dataProtectionProvider = dataProtectionProvider.CreateProtector(nameof(DataProtectionKeyProtector));
+    }
+    
+    public SerializedKey Protect(KeyContainer key)
+    {
+        var data = KeySerializer.Serialize(key);
+            
+        if (_options.DataProtectKeys)
+        {
+            data = _dataProtectionProvider.Protect(data);
+        }
+            
+        return new SerializedKey
+        {
+            Version = 1,
+            Created = DateTime.UtcNow,
+            Id = key.Id,
+            Algorithm = key.Algorithm,
+            IsX509Certificate = key.HasX509Certificate,
+            Data = data,
+            DataProtected = _options.DataProtectKeys,
+        };
+    }
+    
+    public KeyContainer Unprotect(SerializedKey key)
+    {
+        var data = key.DataProtected ? 
+            _dataProtectionProvider.Unprotect(key.Data) : 
+            key.Data;
+
+        if (key.IsX509Certificate)
+        {
+            return KeySerializer.Deserialize<X509KeyContainer>(data);
+        }
+
+        if (key.Algorithm.StartsWith("R") || key.Algorithm.StartsWith("P"))
+        {
+            return KeySerializer.Deserialize<RsaKeyContainer>(data);
+        }
+            
+        if (key.Algorithm.StartsWith("E"))
+        {
+            return KeySerializer.Deserialize<EcKeyContainer>(data);
+        }
+        
+        if (key.Algorithm.StartsWith("CRYDI"))
+        {
+            Console.WriteLine("Deserializing protected dilithium key");
+            return KeySerializer.Deserialize<DilithiumKeyContainer>(data);
+        }
+
+        throw new Exception($"Invalid Algorithm: {key.Algorithm} for kid: {key.Id}");
+    }
+}

src/Strathweb.Dilithium.DuendeIdentityServer/KeyManagement/DilithiumKeyContainer.cs

@@ -0,0 +1,41 @@
+using Duende.IdentityServer.Services.KeyManagement;
+using Microsoft.IdentityModel.Tokens;
+using Strathweb.Dilithium.IdentityModel;
+
+namespace Strathweb.Dilithium.DuendeIdentityServer.KeyManagement;
+
+public class DilithiumKeyContainer : KeyContainer
+{
+    /// <summary>
+    /// Constructor for DilithiumKeyContainer.
+    /// </summary>
+    public DilithiumKeyContainer() : base()
+    {
+    }
+
+    /// <summary>
+    /// Constructor for DilithiumKeyContainer.
+    /// </summary>
+    public DilithiumKeyContainer(DilithiumSecurityKey key, string algorithm, DateTime created)
+        : base(key.KeyId, algorithm, created)
+    {
+        D = key.PrivateKey.GetEncoded();
+        X = key.PublicKey.GetEncoded();
+    }
+
+    /// <summary>
+    /// Private key
+    /// </summary>
+    public byte[] D { get; set; }
+
+    /// <summary>
+    /// Public key
+    /// </summary>
+    public byte[] X { get; set; }
+
+    /// <inheritdoc/>
+    public override AsymmetricSecurityKey ToSecurityKey()
+    {
+        return new DilithiumSecurityKey(Algorithm, Id, X, D);
+    }
+}