feat: Revoked Reason

Revoked Reason

src/NetDevPack.Security.Jwt.Core/DefaultStore/DataProtectionStore.cs

@@ -37,6 +37,7 @@ internal class DataProtectionStore : IJsonWebKeyStore
     private IXmlRepository KeyRepository => _keyManagementOptions.Value.XmlRepository ?? GetFallbackKeyRepositoryEncryptorPair();
 
     private const string Name = "NetDevPackSecurityJwt";
+    internal const string DefaultRevocationReason = "Revoked";
 
     public DataProtectionStore(
         ILoggerFactory loggerFactory,
@@ -98,7 +99,7 @@ private IReadOnlyCollection<KeyMaterial> GetKeys()
     {
         var allElements = KeyRepository.GetAllElements();
         var keys = new List<KeyMaterial>();
-        var revokedKeys = new List<string>();
+        var revokedKeys = new List<RevokedKeyInfo>();
         foreach (var element in allElements)
         {
             if (element.Name == Name)
@@ -124,21 +125,22 @@ private IReadOnlyCollection<KeyMaterial> GetKeys()
                 if (key.IsExpired(_options.Value.DaysUntilExpire))
                 {
                     //Revoke(key).Wait();
-                    revokedKeys.Add(key.Id.ToString());
+                    revokedKeys.Add(new RevokedKeyInfo(key.Id.ToString()));
                 }
 
                 keys.Add(key);
             }
             else if (element.Name == RevocationElementName)
             {
                 var keyIdAsString = (string)element.Element(Name)!.Attribute(IdAttributeName)!;
-                revokedKeys.Add(keyIdAsString);
+                var reason = (string)element.Element(ReasonElementName);
+                revokedKeys.Add(new RevokedKeyInfo(keyIdAsString, reason));
             }
         }
 
         foreach (var revokedKey in revokedKeys)
         {
-            keys.FirstOrDefault(a => a.Id.ToString().Equals(revokedKey))?.Revoke();
+            keys.FirstOrDefault(a => a.Id.ToString().Equals(revokedKey.Id))?.Revoke(revokedKey.RevokedReason);
         }
         return keys.ToList();
     }
@@ -181,7 +183,7 @@ public async Task Clear()
     }
 
 
-    public async Task Revoke(KeyMaterial keyMaterial)
+    public async Task Revoke(KeyMaterial keyMaterial, string reason = null)
     {
         if(keyMaterial == null)
             return;
@@ -193,12 +195,13 @@ public async Task Revoke(KeyMaterial keyMaterial)
             return;
 
         keyMaterial.Revoke();
+        var revokeReason = reason ?? DefaultRevocationReason;
         var revocationElement = new XElement(RevocationElementName,
             new XAttribute(VersionAttributeName, 1),
             new XElement(RevocationDateElementName, DateTimeOffset.UtcNow),
             new XElement(Name,
                 new XAttribute(IdAttributeName, keyMaterial.Id)),
-            new XElement(ReasonElementName, "Revoked"));
+            new XElement(ReasonElementName, revokeReason));
 
 
         // Persist it to the underlying repository and trigger the cancellation token

src/NetDevPack.Security.Jwt.Core/DefaultStore/InMemoryStore.cs

@@ -6,7 +6,7 @@ namespace NetDevPack.Security.Jwt.Core.DefaultStore;
 
 internal class InMemoryStore : IJsonWebKeyStore
 {
-
+    internal const string DefaultRevocationReason = "Revoked";
     private static readonly List<KeyMaterial> _store = new();
     private readonly SemaphoreSlim _slim = new(1);
     public Task Store(KeyMaterial keyMaterial)
@@ -23,12 +23,12 @@ public Task<KeyMaterial> GetCurrent()
         return Task.FromResult(_store.OrderByDescending(s => s.CreationDate).FirstOrDefault());
     }
 
-    public async Task Revoke(KeyMaterial keyMaterial)
+    public async Task Revoke(KeyMaterial keyMaterial, string reason = null)
     {
         if(keyMaterial == null)
             return;
-
-        keyMaterial.Revoke();
+        var revokeReason = reason ?? DefaultRevocationReason;
+        keyMaterial.Revoke(revokeReason);
         var oldOne = _store.Find(f => f.Id == keyMaterial.Id);
         if (oldOne != null)
         {

src/NetDevPack.Security.Jwt.Core/Interfaces/IJsonWebKeyStore.cs

@@ -8,7 +8,7 @@ public interface IJsonWebKeyStore
 {
     Task Store(KeyMaterial keyMaterial);
     Task<KeyMaterial> GetCurrent();
-    Task Revoke(KeyMaterial keyMaterial);
+    Task Revoke(KeyMaterial keyMaterial, string reason=default);
     Task<ReadOnlyCollection<KeyMaterial>> GetLastKeys(int quantity);
     Task<KeyMaterial> Get(string keyId);
     Task Clear();

src/NetDevPack.Security.Jwt.Core/Model/Key.cs

@@ -22,6 +22,7 @@ public KeyMaterial(CryptographicKey cryptographicKey)
     public string Type { get; set; }
     public string Parameters { get; set; }
     public bool IsRevoked { get; set; }
+    public string? RevokedReason { get; set; }
     public DateTime CreationDate { get; set; }
     public DateTime? ExpiredAt { get; set; }
 
@@ -30,15 +31,18 @@ public JsonWebKey GetSecurityKey()
         return JsonSerializer.Deserialize<JsonWebKey>(Parameters);
     }
 
-    public void Revoke()
+    public void Revoke(string reason=default)
     {
         var jsonWebKey = GetSecurityKey();
         var publicWebKey = PublicJsonWebKey.FromJwk(jsonWebKey);
         ExpiredAt = DateTime.UtcNow;
         IsRevoked = true;
+        RevokedReason = reason;
         Parameters = JsonSerializer.Serialize(publicWebKey.ToNativeJwk(), new JsonSerializerOptions() { DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingDefault });
     }
 
+
+
     public bool IsExpired(int valueDaysUntilExpire)
     {
         return CreationDate.AddDays(valueDaysUntilExpire) < DateTime.UtcNow.Date;

src/NetDevPack.Security.Jwt.Core/Model/RevokedKeyInfo.cs

@@ -0,0 +1,7 @@
+namespace NetDevPack.Security.Jwt.Core.Model;
+
+record RevokedKeyInfo(string Id, string? RevokedReason=default)
+{
+    public string Id { get; } = Id;
+    public string? RevokedReason { get; } = RevokedReason;
+}

src/NetDevPack.Security.Jwt.Core/NetDevPack.Security.Jwt.Core.csproj

@@ -24,6 +24,11 @@
     <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="7.0.0" />
   </ItemGroup>
 
+	<ItemGroup>
+		<AssemblyAttribute Include="System.Runtime.CompilerServices.InternalsVisibleToAttribute">
+			<_Parameter1>NetDevPack.Security.Jwt.Tests</_Parameter1>
+		</AssemblyAttribute>
+	</ItemGroup>
 
   <Target Name="CopyHook" AfterTargets="AfterBuild" Condition="'$(Configuration)' == 'Debug'">
     <ItemGroup>

src/NetDevPack.Security.Jwt.Store.FileSystem/FileSystemStore.cs

@@ -51,7 +51,7 @@ public bool NeedsUpdate()
             return !File.Exists(GetCurrentFile()) || File.GetCreationTimeUtc(GetCurrentFile()).AddDays(_options.Value.DaysUntilExpire) < DateTime.UtcNow.Date;
         }
 
-        public async Task Revoke(KeyMaterial? securityKeyWithPrivate)
+        public async Task Revoke(KeyMaterial securityKeyWithPrivate, string reason = null)
         {
             if (securityKeyWithPrivate == null)
                 return;

tests/NetDevPack.Security.Jwt.Tests/StoreTests/DataProtectionStoreTest.cs

@@ -1,4 +1,11 @@
-using NetDevPack.Security.Jwt.Tests.Warmups;
+using System.Linq;
+using Microsoft.IdentityModel.Tokens;
+using NetDevPack.Security.Jwt.Tests.Warmups;
+using System.Threading.Tasks;
+using FluentAssertions;
+using NetDevPack.Security.Jwt.Core.DefaultStore;
+using NetDevPack.Security.Jwt.Core.Jwa;
+using NetDevPack.Security.Jwt.Core.Model;
 using Xunit;
 
 namespace NetDevPack.Security.Jwt.Tests.StoreTests;
@@ -9,4 +16,6 @@ public class DataProtectionStoreTest : GenericStoreServiceTest<WarmupDataProtect
     public DataProtectionStoreTest(WarmupDataProtectionStore unifiedContext) : base(unifiedContext)
     {
     }
+
+
 }

tests/NetDevPack.Security.Jwt.Tests/StoreTests/GenericStoreServiceTest.cs

@@ -10,6 +10,7 @@
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Tokens;
 using NetDevPack.Security.Jwt.Core;
+using NetDevPack.Security.Jwt.Core.DefaultStore;
 using NetDevPack.Security.Jwt.Core.Interfaces;
 using NetDevPack.Security.Jwt.Core.Jwa;
 using NetDevPack.Security.Jwt.Core.Model;
@@ -21,7 +22,7 @@ public abstract class GenericStoreServiceTest<TWarmup> : IClassFixture<TWarmup>
     where TWarmup : class, IWarmupTest
 {
     private static SemaphoreSlim TestSync = new(1);
-    private readonly IJsonWebKeyStore _store;
+    protected readonly IJsonWebKeyStore _store;
     private readonly IOptions<JwtOptions> _options;
     public TWarmup WarmupData { get; }
 
@@ -498,6 +499,42 @@ public async Task ShouldGenerateAndValidateJweAndJws()
 
     }
 
+    [Fact]
+    public async Task Should_Read_Default_Revocation_Reason()
+    {
+        var keyMaterial = await StoreRandomKey();
+        /*Revoke*/
+        await _store.Revoke(keyMaterial);
+        await CheckRevocationReasonIsStored(keyMaterial.KeyId, DataProtectionStore.DefaultRevocationReason);
+    }
+
+    [Theory]
+    [InlineData("ManualRevocation")]
+    [InlineData("StolenKey")]
+    public async Task Should_Read_NonDefault_Revocation_Reason(string reason)
+    {
+        var keyMaterial = await StoreRandomKey();
+        /*Revoke with reason*/
+        await _store.Revoke(keyMaterial, reason);
+        await CheckRevocationReasonIsStored(keyMaterial.KeyId, reason);
+    }
+
+    private async Task CheckRevocationReasonIsStored(string keyId, string revocationReason)
+    {
+        var dbKey = (await _store.GetLastKeys(5)).First(w => w.KeyId == keyId);
+        dbKey.Type.Should().NotBeNullOrEmpty();
+        dbKey.RevokedReason.Should().BeEquivalentTo(revocationReason);
+    }
+
+    private async Task<KeyMaterial> StoreRandomKey()
+    {
+        var alg = Algorithm.Create(DigitalSignaturesAlgorithm.RsaSha512);
+        var key = new CryptographicKey(alg);
+        var keyMaterial = new KeyMaterial(key);
+        await _store.Store(keyMaterial);
+        return keyMaterial;
+    }
+
 
 
     private Task GenerateKey()