| | | 1 | | <# |
| | | 2 | | .SYNOPSIS |
| | | 3 | | Encrypts the JWT payload using a secret, PEM file, or X509 certificate. |
| | | 4 | | |
| | | 5 | | .DESCRIPTION |
| | | 6 | | Protect-KrJWTPayload configures a JWT token builder to encrypt the payload using a variety of key sources: |
| | | 7 | | - Base64Url-encoded secret |
| | | 8 | | - Hexadecimal key |
| | | 9 | | - Raw byte array |
| | | 10 | | - PEM file containing an RSA public key |
| | | 11 | | - X509 certificate |
| | | 12 | | |
| | | 13 | | The function ensures confidentiality of the JWT payload by applying encryption with the specified key and algori |
| | | 14 | | |
| | | 15 | | .PARAMETER Builder |
| | | 16 | | The JWT token builder to modify. |
| | | 17 | | |
| | | 18 | | .PARAMETER HexadecimalKey |
| | | 19 | | The hexadecimal key used to encrypt the JWT token payload. |
| | | 20 | | |
| | | 21 | | .PARAMETER Base64Url |
| | | 22 | | The Base64Url-encoded secret used to encrypt the JWT token payload. |
| | | 23 | | |
| | | 24 | | .PARAMETER KeyBytes |
| | | 25 | | The byte array used to encrypt the JWT token payload. |
| | | 26 | | |
| | | 27 | | .PARAMETER KeyAlg |
| | | 28 | | The key algorithm to use for encryption (e.g., "HS256", "RS256"). Optional. |
| | | 29 | | |
| | | 30 | | .PARAMETER EncAlg |
| | | 31 | | The encryption algorithm to use (e.g., "A256GCM"). Optional. |
| | | 32 | | |
| | | 33 | | .PARAMETER PemPath |
| | | 34 | | The path to a PEM file containing the RSA public key for encryption. |
| | | 35 | | |
| | | 36 | | .PARAMETER X509Certificate |
| | | 37 | | The X509 certificate used for encryption. |
| | | 38 | | |
| | | 39 | | .PARAMETER JwkJson |
| | | 40 | | The JSON Web Key (JWK) in JSON format used for encryption. |
| | | 41 | | |
| | | 42 | | .PARAMETER JwkPath |
| | | 43 | | The path to a JSON Web Key (JWK) file used for encryption. |
| | | 44 | | |
| | | 45 | | .OUTPUTS |
| | | 46 | | [Kestrun.Jwt.JwtTokenBuilder] |
| | | 47 | | Returns the modified JWT token builder with encryption applied. |
| | | 48 | | |
| | | 49 | | .EXAMPLE |
| | | 50 | | $builder = New-KrJWTTokenBuilder | Protect-KrJWTPayload -Base64Url "your_base64_url_secret" |
| | | 51 | | $builder | Protect-KrJWTPayload -HexadecimalKey "a1b2c3d4e5f6" |
| | | 52 | | $builder | Protect-KrJWTPayload -KeyBytes (Get-Content -Path "C:\path\to\key.bin" -Encoding Byte) |
| | | 53 | | $builder | Protect-KrJWTPayload -KeyAlg "HS256" -EncAlg "A256GCM" |
| | | 54 | | $builder | Protect-KrJWTPayload -PemPath "C:\path\to\key.pem" |
| | | 55 | | $builder | Protect-KrJWTPayload -X509Certificate (Get-Item "C:\path\to\certificate.pfx") |
| | | 56 | | |
| | | 57 | | .NOTES |
| | | 58 | | This function is part of the Kestrun.Jwt module and is used to build and protect JWT tokens. |
| | | 59 | | Internally maps to JwtTokenBuilder.EncryptWithSecretB64, EncryptWithSecretHex, EncryptWithSecret, |
| | | 60 | | EncryptWithPemPublic, and EncryptWithCertificate methods. |
| | | 61 | | |
| | | 62 | | .LINK |
| | | 63 | | https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytoken |
| | | 64 | | #> |
| | | 65 | | function Protect-KrJWTPayload { |
| | | 66 | | [KestrunRuntimeApi('Everywhere')] |
| | | 67 | | [CmdletBinding(DefaultParameterSetName = 'Base64Url')] |
| | | 68 | | [OutputType([Kestrun.Jwt.JwtTokenBuilder])] |
| | | 69 | | param( |
| | | 70 | | [Parameter(Mandatory = $true, ValueFromPipeline)] |
| | | 71 | | [Kestrun.Jwt.JwtTokenBuilder] $Builder, |
| | | 72 | | |
| | | 73 | | [Parameter(Mandatory = $true, ParameterSetName = 'HexadecimalKey')] |
| | | 74 | | [string] $HexadecimalKey, |
| | | 75 | | |
| | | 76 | | [Parameter(Mandatory = $true, ParameterSetName = 'Base64Url')] |
| | | 77 | | [string] $Base64Url, |
| | | 78 | | |
| | | 79 | | [Parameter(Mandatory = $true, ParameterSetName = 'Bytes')] |
| | | 80 | | [byte[]] $KeyBytes, |
| | | 81 | | |
| | | 82 | | [Parameter(Mandatory = $false)] |
| | | 83 | | [string] $KeyAlg = '', |
| | | 84 | | |
| | | 85 | | [Parameter(Mandatory = $false)] |
| | | 86 | | [string] $EncAlg = '', |
| | | 87 | | |
| | | 88 | | [Parameter(Mandatory = $true, ParameterSetName = 'PemPath')] |
| | | 89 | | [string] $PemPath, |
| | | 90 | | |
| | | 91 | | [Parameter(Mandatory = $true, ParameterSetName = 'Certificate')] |
| | | 92 | | [System.Security.Cryptography.X509Certificates.X509Certificate2] $X509Certificate, |
| | | 93 | | |
| | | 94 | | [Parameter(Mandatory = $true, ParameterSetName = 'JwkJson')] |
| | | 95 | | [string] $JwkJson, |
| | | 96 | | |
| | | 97 | | [Parameter(Mandatory = $true, ParameterSetName = 'JwkPath')] |
| | | 98 | | [string] $JwkPath |
| | | 99 | | ) |
| | | 100 | | |
| | | 101 | | process { |
| | | 102 | | # Determine defaults based on parameter set (symmetric vs asymmetric) |
| | 0 | 103 | | $defaultKeyAlg, $defaultEncAlg = switch ($PSCmdlet.ParameterSetName) { |
| | 0 | 104 | | 'Base64Url' { 'dir', 'A256CBC-HS512' } |
| | 0 | 105 | | 'HexadecimalKey' { 'dir', 'A256CBC-HS512' } |
| | 0 | 106 | | 'Bytes' { 'dir', 'A256CBC-HS512' } |
| | 0 | 107 | | default { 'RSA-OAEP', 'A256GCM' } |
| | | 108 | | } |
| | | 109 | | |
| | 0 | 110 | | $ka = if ([string]::IsNullOrWhiteSpace($KeyAlg)) { $defaultKeyAlg } else { $KeyAlg } |
| | 0 | 111 | | $ea = if ([string]::IsNullOrWhiteSpace($EncAlg)) { $defaultEncAlg } else { $EncAlg } |
| | | 112 | | |
| | 0 | 113 | | switch ($PSCmdlet.ParameterSetName) { |
| | | 114 | | 'Base64Url' { |
| | 0 | 115 | | $Builder.EncryptWithSecretB64($Base64Url, $ka, $ea) | Out-Null |
| | | 116 | | } |
| | | 117 | | 'HexadecimalKey' { |
| | 0 | 118 | | $Builder.EncryptWithSecretHex($HexadecimalKey, $ka, $ea) | Out-Null |
| | | 119 | | } |
| | | 120 | | 'Bytes' { |
| | 0 | 121 | | $Builder.EncryptWithSecret($KeyBytes, $ka, $ea) | Out-Null |
| | | 122 | | } |
| | | 123 | | 'PemPath' { |
| | 0 | 124 | | $resolvedPath = Resolve-KrPath -Path $PemPath -KestrunRoot |
| | 0 | 125 | | $Builder.EncryptWithPemPublic($resolvedPath, $ka, $ea) | Out-Null |
| | | 126 | | } |
| | | 127 | | 'Certificate' { |
| | 0 | 128 | | $Builder.EncryptWithCertificate($X509Certificate, $ka, $ea) | Out-Null |
| | | 129 | | } |
| | | 130 | | 'JwkJson' { |
| | 0 | 131 | | $Builder.EncryptWithJwkJson($JwkJson, $ka, $ea) | Out-Null |
| | | 132 | | } |
| | | 133 | | 'JwkPath' { |
| | 0 | 134 | | $resolvedPath = Resolve-KrPath -Path $JwkPath -KestrunRoot |
| | 0 | 135 | | $Builder.EncryptWithJwkPath($resolvedPath, $ka, $ea) | Out-Null |
| | | 136 | | } |
| | | 137 | | } |
| | | 138 | | |
| | 0 | 139 | | return $Builder |
| | | 140 | | } |
| | | 141 | | } |