How to Encryption JWT Payload with Public Key RSA_OAEP_256

Question

I'm using "BouncyCastle.NetCore" and "jose-jwt" libraries to sign and encrypt a web token. I'm able to sign with my private key by below code. but the requirements is to also perform OpenID JWT Encryption In order to encrypt the JWT payload, we need to do that using provided public key string (base64 decoded with X509 key spec). the encode needed to use RSA algorithm and JWE header should include header name “alg" with the value: RSA_OAEP_256. Below code is sign only with private key but not sure how to complete the encode??

 class Program
{
    string publicKeyString = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB";
    public static async Task Main(string[] args)
    {
        var payload = new System.Collections.Generic.Dictionary<string, object>()
            {
                { "sub", "[email protected]" },
                { "iss", "https://www.YourBrand.com" },
                { "exp", 1300819380 },
                { "iat", 1446111752 },
                { "preferred_username", "JohnDoe2" },
                { "phone_number", "+2-10-344-3765333" }
            };
        var token = CreateToken(payload);
        Console.WriteLine($"token={token}");
    }
    public static string CreateToken(object payload)
    {
        string jwt = string.Empty;
        var fileStream = System.IO.File.OpenText("C:\\temp\\my_private_key.pem");
        var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(fileStream, new MyPasswordFinder());
        var keyPair = (Org.BouncyCastle.Crypto.AsymmetricKeyParameter)pemReader.ReadObject();
        RSAParameters rsaParams = DotNetUtilities.ToRSAParameters((RsaPrivateCrtKeyParameters)keyPair);
        using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
        {
            rsa.ImportParameters(rsaParams);                
            jwt = JWT.Encode(payload, rsa, JwsAlgorithm.RS256);//,options: new JwtOptions { EncodePayload = true }
        }
        return jwt;
    }

}

I think this article by "Scott Brady" may give you a good idea on how to do it, or at least point you to the right direction: scottbrady91.com/C-Sharp/JSON-Web-Encryption-JWE-in-dotnet-Core — Luis

timur timur · Accepted Answer · 2020-04-23T00:50:13

The only difference EncodePayload seems to make is how payload ends up being written out to JWT body. It is true by default and does not affect payload encryption (see source code):

return jwtOptions.EncodePayload
            ? Compact.Serialize(headerBytes, payloadBytes, signature)
            : Compact.Serialize(headerBytes, Encoding.UTF8.GetString(payloadBytes), signature);

What you probably want is to specify JweAlgorithm and correct JweEncryption (note, it's a different overload to the same function:

jwt = JWT.Encode(payload, rsa, JweAlgorithm.RSA_OAEP_256, JweEncryption.A256GCM);

How to Encryption JWT Payload with Public Key RSA_OAEP_256

1 Answers