feat: Allow injecting private key decryptor for jwt (box/box-codegen#754) (#528)

Author: box-sdk-build

.codegen.json

@@ -1 +1 @@
-{ "engineHash": "fc1155c", "specHash": "8402463", "version": "1.10.0" }
+{ "engineHash": "b8e7dbb", "specHash": "8402463", "version": "1.10.0" }

Box.Sdk.Gen/Box/JwtAuth/BoxJwtAuth.cs

@@ -47,7 +47,7 @@ public async System.Threading.Tasks.Task<AccessToken> RefreshTokenAsync(NetworkS
             }
             JwtAlgorithm alg = this.Config.Algorithm != null ? NullableUtils.Unwrap(this.Config.Algorithm) : JwtAlgorithm.Rs256;
             Dictionary<string, object> claims = new Dictionary<string, object>() { { "exp", Utils.GetEpochTimeInSeconds() + 30 }, { "box_sub_type", this.SubjectType } };
-            JwtSignOptions jwtOptions = new JwtSignOptions(algorithm: alg, audience: "https://api.box.com/oauth2/token", subject: this.SubjectId, issuer: this.Config.ClientId, jwtid: Utils.GetUUID(), keyid: this.Config.JwtKeyId);
+            JwtSignOptions jwtOptions = new JwtSignOptions(algorithm: alg, audience: "https://api.box.com/oauth2/token", subject: this.SubjectId, issuer: this.Config.ClientId, jwtid: Utils.GetUUID(), keyid: this.Config.JwtKeyId, privateKeyDecryptor: this.Config.PrivateKeyDecryptor);
             JwtKey jwtKey = new JwtKey(key: this.Config.PrivateKey, passphrase: this.Config.PrivateKeyPassphrase);
             string assertion = JwtUtils.CreateJwtAssertion(claims: claims, key: jwtKey, options: jwtOptions);
             AuthorizationManager authManager = new AuthorizationManager(networkSession: networkSession != null ? NullableUtils.Unwrap(networkSession) : new NetworkSession());

Box.Sdk.Gen/Box/JwtAuth/JwtConfig.cs

@@ -46,13 +46,16 @@ public class JwtConfig {
 
         public ITokenStorage TokenStorage { get; }
 
-        public JwtConfig(string clientId, string clientSecret, string jwtKeyId, string privateKey, string privateKeyPassphrase, ITokenStorage? tokenStorage = default) {
+        public IPrivateKeyDecryptor PrivateKeyDecryptor { get; }
+
+        public JwtConfig(string clientId, string clientSecret, string jwtKeyId, string privateKey, string privateKeyPassphrase, ITokenStorage? tokenStorage = default, IPrivateKeyDecryptor? privateKeyDecryptor = default) {
             ClientId = clientId;
             ClientSecret = clientSecret;
             JwtKeyId = jwtKeyId;
             PrivateKey = privateKey;
             PrivateKeyPassphrase = privateKeyPassphrase;
             TokenStorage = tokenStorage ?? new InMemoryTokenStorage();
+            PrivateKeyDecryptor = privateKeyDecryptor ?? new DefaultPrivateKeyDecryptor();
         }
         /// <summary>
         /// Create an auth instance as defined by a string content of JSON file downloaded from the Box Developer Console.
@@ -62,11 +65,16 @@ public JwtConfig(string clientId, string clientSecret, string jwtKeyId, string p
         /// String content of JSON file containing the configuration.
         /// </param>
         /// <param name="tokenStorage">
-        /// Object responsible for storing token. If no custom implementation provided, the token will be stored in memory.g
+        /// Object responsible for storing token. If no custom implementation provided, the token will be stored in memory
+        /// </param>
+        /// <param name="privateKeyDecryptor">
+        /// Object responsible for decrypting private key for jwt auth. If no custom implementation provided, the DefaultPrivateKeyDecryptor will be used.
         /// </param>
-        public static JwtConfig FromConfigJsonString(string configJsonString, ITokenStorage? tokenStorage = null) {
+        public static JwtConfig FromConfigJsonString(string configJsonString, ITokenStorage? tokenStorage = null, IPrivateKeyDecryptor? privateKeyDecryptor = null) {
             JwtConfigFile configJson = SimpleJsonSerializer.Deserialize<JwtConfigFile>(JsonUtils.JsonToSerializedData(text: configJsonString));
-            JwtConfig newConfig = tokenStorage != null ? new JwtConfig(clientId: configJson.BoxAppSettings.ClientId, clientSecret: configJson.BoxAppSettings.ClientSecret, jwtKeyId: configJson.BoxAppSettings.AppAuth.PublicKeyId, privateKey: configJson.BoxAppSettings.AppAuth.PrivateKey, privateKeyPassphrase: configJson.BoxAppSettings.AppAuth.Passphrase, tokenStorage: tokenStorage) { EnterpriseId = configJson.EnterpriseId, UserId = configJson.UserId } : new JwtConfig(clientId: configJson.BoxAppSettings.ClientId, clientSecret: configJson.BoxAppSettings.ClientSecret, jwtKeyId: configJson.BoxAppSettings.AppAuth.PublicKeyId, privateKey: configJson.BoxAppSettings.AppAuth.PrivateKey, privateKeyPassphrase: configJson.BoxAppSettings.AppAuth.Passphrase) { EnterpriseId = configJson.EnterpriseId, UserId = configJson.UserId };
+            ITokenStorage? tokenStorageToUse = tokenStorage == null ? new InMemoryTokenStorage() : tokenStorage;
+            IPrivateKeyDecryptor? privateKeyDecryptorToUse = privateKeyDecryptor == null ? new DefaultPrivateKeyDecryptor() : privateKeyDecryptor;
+            JwtConfig newConfig = new JwtConfig(clientId: configJson.BoxAppSettings.ClientId, clientSecret: configJson.BoxAppSettings.ClientSecret, jwtKeyId: configJson.BoxAppSettings.AppAuth.PublicKeyId, privateKey: configJson.BoxAppSettings.AppAuth.PrivateKey, privateKeyPassphrase: configJson.BoxAppSettings.AppAuth.Passphrase, tokenStorage: tokenStorageToUse, privateKeyDecryptor: privateKeyDecryptorToUse) { EnterpriseId = configJson.EnterpriseId, UserId = configJson.UserId };
             return newConfig;
         }
 
@@ -80,9 +88,12 @@ public static JwtConfig FromConfigJsonString(string configJsonString, ITokenStor
         /// <param name="tokenStorage">
         /// Object responsible for storing token. If no custom implementation provided, the token will be stored in memory.
         /// </param>
-        public static JwtConfig FromConfigFile(string configFilePath, ITokenStorage? tokenStorage = null) {
+        /// <param name="privateKeyDecryptor">
+        /// Object responsible for decrypting private key for jwt auth. If no custom implementation provided, the DefaultPrivateKeyDecryptor will be used.
+        /// </param>
+        public static JwtConfig FromConfigFile(string configFilePath, ITokenStorage? tokenStorage = null, IPrivateKeyDecryptor? privateKeyDecryptor = null) {
             string configJsonString = Utils.ReadTextFromFile(filepath: configFilePath);
-            return JwtConfig.FromConfigJsonString(configJsonString: configJsonString, tokenStorage: tokenStorage);
+            return JwtConfig.FromConfigJsonString(configJsonString: configJsonString, tokenStorage: tokenStorage, privateKeyDecryptor: privateKeyDecryptor);
         }
 
     }

Box.Sdk.Gen/Box/JwtUtils.cs

@@ -1,14 +1,7 @@
 using Microsoft.IdentityModel.Tokens;
-using Org.BouncyCastle.Asn1.Pkcs;
-using Org.BouncyCastle.Crypto.Asymmetric;
-using Org.BouncyCastle.OpenSsl;
-using Org.BouncyCastle.Operators;
-using Org.BouncyCastle.Pkcs;
-using Org.BouncyCastle.Security;
 using System;
 using System.Collections.Generic;
 using System.IdentityModel.Tokens.Jwt;
-using System.IO;
 using System.Linq;
 using System.Security.Claims;
 using System.Security.Cryptography;
@@ -51,7 +44,7 @@ internal static string CreateJwtAssertion(Dictionary<string, object> claims, Jwt
             var jwtPayload = new JwtPayload(options.Issuer, options.Audience,
                 jwtClaims, null, DateTimeOffset.FromUnixTimeSeconds(expTime).LocalDateTime);
 
-            var signingCredentials = GetSigningCredentials(key);
+            var signingCredentials = GetSigningCredentials(key, options);
 
             var header = new JwtHeader(signingCredentials);
 
@@ -61,70 +54,15 @@ internal static string CreateJwtAssertion(Dictionary<string, object> claims, Jwt
             return assertion;
         }
 
-        private static SigningCredentials GetSigningCredentials(JwtKey key)
+        private static SigningCredentials GetSigningCredentials(JwtKey key, JwtSignOptions options)
         {
-            using (var keyReader = new StringReader(key.Key))
-            {
-                var reader = new OpenSslPemReader(keyReader);
-                var privateCrtKeyParams = reader.ReadObject();
-
-                if (privateCrtKeyParams == null)
-                {
-                    throw new ArgumentException("Invalid private JWT key!");
-                }
-
-                if (privateCrtKeyParams is Pkcs8EncryptedPrivateKeyInfo)
-                {
-                    var pkcs8 = (Pkcs8EncryptedPrivateKeyInfo)privateCrtKeyParams;
-                    PrivateKeyInfo privateKeyInfo = pkcs8.DecryptPrivateKeyInfo(
-                new PkixPbeDecryptorProviderBuilder().Build(key.Passphrase.ToCharArray()));
-                    var bcKey = AsymmetricKeyFactory.CreatePrivateKey(privateKeyInfo.GetEncoded());
-
-                    if (bcKey is AsymmetricRsaPrivateKey)
-                    {
-                        var bcRsaKey = (AsymmetricRsaPrivateKey)bcKey;
-                        var rsaParams = ToRSAParameters(bcRsaKey);
-                        var rsaKey = new RsaSecurityKey(rsaParams);
-
-                        return new SigningCredentials(rsaKey, SecurityAlgorithms.RsaSha256);
-                    }
-                }
-
-                throw new ArgumentException("Provided JWT Key format is not supported");
-            }
-        }
+            var rsa = options.PrivateKeyDecryptor.DecryptPrivateKey(key.Key, key.Passphrase);
 
-        private static RSAParameters ToRSAParameters(AsymmetricRsaPrivateKey privateKey)
-        {
-            RSAParameters rp = new RSAParameters();
-            rp.Modulus = privateKey.Modulus.ToByteArrayUnsigned();
-            rp.Exponent = privateKey.PublicExponent.ToByteArrayUnsigned();
-            rp.P = privateKey.P.ToByteArrayUnsigned();
-            rp.Q = privateKey.Q.ToByteArrayUnsigned();
-            rp.D = ConvertRSAParametersField(privateKey.PrivateExponent, rp.Modulus.Length);
-            rp.DP = ConvertRSAParametersField(privateKey.DP, rp.P.Length);
-            rp.DQ = ConvertRSAParametersField(privateKey.DQ, rp.Q.Length);
-            rp.InverseQ = ConvertRSAParametersField(privateKey.QInv, rp.Q.Length);
-            return rp;
-        }
+            var rsaKey = new RsaSecurityKey(rsa);
 
-        private static byte[] ConvertRSAParametersField(Org.BouncyCastle.Math.BigInteger n, int size)
-        {
-            byte[] bs = n.ToByteArrayUnsigned();
-            if (bs.Length == size)
-            {
-                return bs;
-            }
-
-            if (bs.Length > size)
-            {
-                throw new ArgumentException("Specified size too small", "size");
-            }
-
-            byte[] padded = new byte[size];
-            Array.Copy(bs, 0, padded, size - bs.Length, bs.Length);
-            return padded;
+            return new SigningCredentials(rsaKey, SecurityAlgorithms.RsaSha256);
         }
+
     }
 
     enum JwtAlgorithm
@@ -152,15 +90,17 @@ class JwtSignOptions
         internal string Issuer { get; }
         internal string Jwtid { get; }
         internal string Keyid { get; }
+        internal IPrivateKeyDecryptor PrivateKeyDecryptor { get; }
 
-        public JwtSignOptions(JwtAlgorithm algorithm, string audience, string subject, string issuer, string jwtid, string keyid)
+        public JwtSignOptions(JwtAlgorithm algorithm, string audience, string subject, string issuer, string jwtid, string keyid, IPrivateKeyDecryptor privateKeyDecryptor)
         {
             Algorithm = algorithm;
             Audience = audience;
             Subject = subject;
             Issuer = issuer;
             Jwtid = jwtid;
             Keyid = keyid;
+            PrivateKeyDecryptor = privateKeyDecryptor;
         }
     }
 }

Box.Sdk.Gen/Internal/DefaultPrivateKeyDecryptor.cs

@@ -0,0 +1,90 @@
+using Org.BouncyCastle.Asn1.Pkcs;
+using Org.BouncyCastle.Crypto.Asymmetric;
+using Org.BouncyCastle.OpenSsl;
+using Org.BouncyCastle.Operators;
+using Org.BouncyCastle.Pkcs;
+using Org.BouncyCastle.Security;
+using System;
+using System.IO;
+using System.Security.Cryptography;
+
+namespace Box.Sdk.Gen
+{
+    internal class DefaultPrivateKeyDecryptor : IPrivateKeyDecryptor
+    {
+
+        internal DefaultPrivateKeyDecryptor()
+        {
+        }
+
+        /// <summary>
+        /// Decrypts private key using a passphrase.
+        /// </summary>
+        public RSA DecryptPrivateKey(string encryptedPrivateKey, string passphrase)
+        {
+            using (var keyReader = new StringReader(encryptedPrivateKey))
+            {
+                var reader = new OpenSslPemReader(keyReader);
+                var privateCrtKeyParams = reader.ReadObject();
+
+                if (privateCrtKeyParams == null)
+                {
+                    throw new ArgumentException("Invalid private JWT key!");
+                }
+
+                if (privateCrtKeyParams is Pkcs8EncryptedPrivateKeyInfo)
+                {
+                    var pkcs8 = (Pkcs8EncryptedPrivateKeyInfo)privateCrtKeyParams;
+                    PrivateKeyInfo privateKeyInfo = pkcs8.DecryptPrivateKeyInfo(
+                new PkixPbeDecryptorProviderBuilder().Build(passphrase.ToCharArray()));
+                    var bcKey = AsymmetricKeyFactory.CreatePrivateKey(privateKeyInfo.GetEncoded());
+
+                    if (bcKey is AsymmetricRsaPrivateKey)
+                    {
+                        var bcRsaKey = (AsymmetricRsaPrivateKey)bcKey;
+                        var rsaParams = ToRSAParameters(bcRsaKey);
+
+                        var rsa = RSA.Create();
+                        rsa.ImportParameters(rsaParams);
+
+                        return rsa;
+                    }
+                }
+
+                throw new ArgumentException("Provided JWT Key format is not supported");
+            }
+        }
+
+        private static RSAParameters ToRSAParameters(AsymmetricRsaPrivateKey privateKey)
+        {
+            RSAParameters rp = new RSAParameters();
+            rp.Modulus = privateKey.Modulus.ToByteArrayUnsigned();
+            rp.Exponent = privateKey.PublicExponent.ToByteArrayUnsigned();
+            rp.P = privateKey.P.ToByteArrayUnsigned();
+            rp.Q = privateKey.Q.ToByteArrayUnsigned();
+            rp.D = ConvertRSAParametersField(privateKey.PrivateExponent, rp.Modulus.Length);
+            rp.DP = ConvertRSAParametersField(privateKey.DP, rp.P.Length);
+            rp.DQ = ConvertRSAParametersField(privateKey.DQ, rp.Q.Length);
+            rp.InverseQ = ConvertRSAParametersField(privateKey.QInv, rp.Q.Length);
+            return rp;
+        }
+
+        private static byte[] ConvertRSAParametersField(Org.BouncyCastle.Math.BigInteger n, int size)
+        {
+            byte[] bs = n.ToByteArrayUnsigned();
+            if (bs.Length == size)
+            {
+                return bs;
+            }
+
+            if (bs.Length > size)
+            {
+                throw new ArgumentException("Specified size too small", "size");
+            }
+
+            byte[] padded = new byte[size];
+            Array.Copy(bs, 0, padded, size - bs.Length, bs.Length);
+            return padded;
+        }
+    }
+}

Box.Sdk.Gen/Internal/IPrivateKeyDecryptor.cs

@@ -0,0 +1,15 @@
+using System.Security.Cryptography;
+
+namespace Box.Sdk.Gen
+{
+    /// <summary>
+    /// Interface used for private key decryption in JWT auth.
+    /// </summary>
+    public interface IPrivateKeyDecryptor
+    {
+        /// <summary>
+        /// Decrypts private key using a passphrase.
+        /// </summary>
+        RSA DecryptPrivateKey(string encryptedPrivateKey, string passphrase);
+    }
+}

Box.Sdk.Gen/Managers/Downloads/DownloadsManager.cs

@@ -42,10 +42,10 @@ public async System.Threading.Tasks.Task<string> GetDownloadFileUrlAsync(string
             Dictionary<string, string> headersMap = Utils.PrepareParams(map: DictionaryUtils.MergeDictionaries(new Dictionary<string, string?>() { { "range", StringUtils.ToStringRepresentation(headers.Range) }, { "boxapi", StringUtils.ToStringRepresentation(headers.Boxapi) } }, headers.ExtraHeaders));
             FetchResponse response = await this.NetworkSession.NetworkClient.FetchAsync(options: new FetchOptions(url: string.Concat(this.NetworkSession.BaseUrls.BaseUrl, "/2.0/files/", StringUtils.ToStringRepresentation(fileId), "/content"), method: "GET", responseFormat: Box.Sdk.Gen.ResponseFormat.NoContent) { Parameters = queryParamsMap, Headers = headersMap, Auth = this.Auth, NetworkSession = this.NetworkSession, CancellationToken = cancellationToken, FollowRedirects = false }).ConfigureAwait(false);
             if (response.Headers.ContainsKey("location")) {
-                return response.Headers["location"];
+                return NullableUtils.Unwrap(response.Headers["location"]);
             }
             if (response.Headers.ContainsKey("Location")) {
-                return response.Headers["Location"];
+                return NullableUtils.Unwrap(response.Headers["Location"]);
             }
             throw new BoxSdkException(message: "No location header in response");
         }

Box.Sdk.Gen/Managers/Files/FilesManager.cs

@@ -187,10 +187,10 @@ public async System.Threading.Tasks.Task<string> GetFileThumbnailUrlAsync(string
             Dictionary<string, string> headersMap = Utils.PrepareParams(map: DictionaryUtils.MergeDictionaries(new Dictionary<string, string?>() {  }, headers.ExtraHeaders));
             FetchResponse response = await this.NetworkSession.NetworkClient.FetchAsync(options: new FetchOptions(url: string.Concat(this.NetworkSession.BaseUrls.BaseUrl, "/2.0/files/", StringUtils.ToStringRepresentation(fileId), "/thumbnail.", StringUtils.ToStringRepresentation(extension)), method: "GET", responseFormat: Box.Sdk.Gen.ResponseFormat.NoContent) { Parameters = queryParamsMap, Headers = headersMap, Auth = this.Auth, NetworkSession = this.NetworkSession, CancellationToken = cancellationToken, FollowRedirects = false }).ConfigureAwait(false);
             if (response.Headers.ContainsKey("location")) {
-                return response.Headers["location"];
+                return NullableUtils.Unwrap(response.Headers["location"]);
             }
             if (response.Headers.ContainsKey("Location")) {
-                return response.Headers["Location"];
+                return NullableUtils.Unwrap(response.Headers["Location"]);
             }
             throw new BoxSdkException(message: "No location header in response");
         }