DataProtection - Share Key Material to Sign JWT?

[brunobritodev]

Hi guys,

At ASP.NET MVC after a successful login, ASP.NET generate a Cookie, encrypt it and send to user. Great. The dev doesn't really knows how it was generated. I could say that there are many devs maybe doesn't know it is encrypted. Or worst, why we use it. Anyway.

But it's really common nowadays the dev's create REST API's. And they need to emit a JWT Token instead. While the first case they don't need to care about how it works under the hood. But with JWT, they need to digitally sign it. Create a key. Store and manage it.

Definetely isn't a simple Task. HMAC keys need to have a 64 bit key. Rotate every 90 days and so on.
I'll not mention that I've never seen someone using RSA / ECDsa. It's a dream.

When we look at DataProtection component, it accomplish the task in a very competent way. Rotate the key every 90 days. There is an good fit with azure App Service. Many extensions to store it in a safe place.

So I've two questions:

1. Why we don't provide a better way to sign-in a token with DataProtection masterKey?
2. Do you see any flaws of security doing it in this way:

    [ApiController]
    [Route("jwt-protection")]
    public class JwtFromDataProtectionKeys : ControllerBase
    {
        private readonly IKeyRingProvider _keyRingProvider;
        private readonly IKeyManager _keyManager;

        public JwtFromDataProtectionKeys(
            IKeyRingProvider keyRingProvider,
            IKeyManager keyManager)
        {
            _keyRingProvider = keyRingProvider;
            _keyManager = keyManager;
        }

        /// <summary>
        /// Get current key.
        /// </summary>
        private JsonWebKey CreateJwk()
        {
            // Get current key ring from DataProtection
            var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();

            // Identify current KeyId
            var defaultKeyId = currentKeyRing.DefaultKeyId;

            // Get private key from current keyid
            var storedKey = _keyManager.GetAllKeys().First(f => f.KeyId == defaultKeyId);
            var descriptorXmlInfo = storedKey.Descriptor.ExportToXml();
            var key = new XElement("key", descriptorXmlInfo.SerializedDescriptorElement.LastNode).Value;

            // generate jwk. Then sign jwk
            var bKey = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true).GetBytes(key);
            var symetricKey = new HMACSHA256(bKey);

            var jwk = JsonWebKeyConverter.ConvertFromSymmetricSecurityKey(new SymmetricSecurityKey(symetricKey.Key));
            jwk.KeyId = Base64UrlEncoder.Encode(defaultKeyId.ToString());

            return jwk;
        }

        /// <summary>
        /// Kind of jwks
        /// </summary>
        /// <returns></returns>
        private IEnumerable<JsonWebKey> GetKeys()
        {
            var jwks = new List<JsonWebKey>();
            // Get keys from DataProtectionKeys
            var storedKey = _keyManager.GetAllKeys();
            foreach (var key in storedKey.OrderByDescending(b => b.CreationDate))
            {
                var defaultKeyId = key.KeyId;

                // Export for Xml to get access to masterkey
                var descriptorXmlInfo = key.Descriptor.ExportToXml();
                var keyData = new XElement("key", descriptorXmlInfo.SerializedDescriptorElement.LastNode).Value;

                var bKey = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true).GetBytes(keyData);
                var symetricKey = new HMACSHA256(bKey);

                var jwk = JsonWebKeyConverter.ConvertFromSymmetricSecurityKey(new SymmetricSecurityKey(symetricKey.Key));
                jwk.KeyId = Base64UrlEncoder.Encode(defaultKeyId.ToString());

                jwks.Add(jwk);
            }

            return jwks;
        }
   // Normal routines to generate Jwt
}

I'm achieved it, but was really painful to find out every piece of code. Debbuging the aspnet code to understande how it works.

sorry about create this issue. But I've tried to search in many places and I couldn't find anywhere.