Hrithik.Security.Jose 1.0.0

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. 
dotnet add package Hrithik.Security.Jose --version 1.0.0
                    


                    

                
NuGet\Install-Package Hrithik.Security.Jose -Version 1.0.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Hrithik.Security.Jose" Version="1.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Hrithik.Security.Jose" Version="1.0.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Hrithik.Security.Jose" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Hrithik.Security.Jose --version 1.0.0
                    


                    

                
#r "nuget: Hrithik.Security.Jose, 1.0.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package Hrithik.Security.Jose@1.0.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=Hrithik.Security.Jose&version=1.0.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=Hrithik.Security.Jose&version=1.0.0
                    


                            Install as a Cake Tool

Hrithik.Security.Jose

Banking-grade JOSE (JWS + JWE) security library for .NET 8+

Hrithik.Security.Jose is a production-ready implementation of JSON Object Signing and Encryption (JOSE) designed for fintech, banking, and enterprise APIs.

The library enforces secure defaults, explicit validation rules, and deterministic behavior.
It is intentionally opinionated to prevent common JWT/JWE security mistakes.

✨ Key Features

πŸ” JWS (JSON Web Signature)

  • RS256 and HS256 signing
  • Explicit algorithm allow-list (prevents alg:none attacks)
  • Mandatory exp (expiration) claim enforcement
  • Deterministic clock handling via IClock
  • Secure kid-based key resolution
  • Tamper-detection and defensive parsing

πŸ”’ JWE (JSON Web Encryption)

  • RSA-OAEP key management
  • A256CBC-HS512 content encryption (Microsoft-supported & bank-grade)
  • Strong payload confidentiality
  • Header kid enforcement
  • Fully compatible with Azure AD / Entra / Microsoft Identity

🧠 Validation & Security

  • Domain-specific exceptions (InvalidTokenException)
  • No framework exception leakage
  • Clock-skew aware lifetime validation
  • Strict parsing and validation rules

πŸ§ͺ Testing

  • Security-negative test coverage (tampering, downgrade, expiry)
  • Deterministic crypto tests
  • Fully isolated test infrastructure
  • All critical paths covered

πŸ“¦ Installation

dotnet add package Hrithik.Security.Jose
πŸš€ Quick Start
JWS – Sign and Validate
var signer = new JwsSigner(
    keyProvider,
    new JwsOptions(),
    clock);

var verifier = new JwsVerifier(
    keyProvider,
    tokenValidator,
    clock);

var token = signer.Sign(
    new Dictionary<string, object>
    {
        ["sub"] = "user123",
        ["scope"] = "payments"
    },
    "signing-key-1");

verifier.Validate(token, "signing-key-1");

JWE – Encrypt and Decrypt
var encryptor = new JweEncryptor(keyProvider);
var decryptor = new JweDecryptor(keyProvider);

var encrypted = encryptor.Encrypt(
    "{\"amount\":1000}",
    "enc-key-1");

var payload = decryptor.Decrypt(
    encrypted,
    "enc-key-1");

πŸ”‘ Key Management

Consumers must provide their own key source by implementing:

public interface IJoseKeyProvider
{
    SecurityKey GetSigningKey(string keyId);
    SecurityKey GetEncryptionKey(string keyId);
}


This enables seamless integration with:

Azure Key Vault

Hardware Security Modules (HSM)

Cloud KMS providers

On-prem key stores

Bring-Your-Own-Key (BYOK) models

πŸ•’ Clock & Time Safety

All time-sensitive logic uses the IClock abstraction.

This ensures:

Deterministic tests

No reliance on DateTime.UtcNow

Safe token lifetime validation

Predictable behavior in distributed systems

🏦 Security Philosophy

This library is intentionally strict.

❌ No insecure defaults

❌ No silent fallbacks

❌ No implicit algorithm selection

❌ No alg:none

❌ No token acceptance without expiration

Instead:

βœ… Explicit policy enforcement

βœ… Audit-friendly design

βœ… Clear failure modes

βœ… Fintech / banking aligned behavior

πŸ“š Standards & Compatibility

RFC 7515 – JSON Web Signature (JWS)

RFC 7516 – JSON Web Encryption (JWE)

RFC 7519 – JSON Web Token (JWT)

Fully compatible with Microsoft Identity & Azure Entra

πŸ“„ License

MIT License

## πŸ‘€ Author

**Hrithik Kalra**
Fintech & Security Engineering

πŸ“§ Email: hrithikkalra11@gmail.com

If you find this package useful, consider supporting its development:

- β˜• Buy Me a Coffee: https://www.buymeacoffee.com/alkylhalid9  
- ❀️ GitHub Sponsors: https://github.com/sponsors/hrithikalra

Support is entirely optional and helps sustain ongoing development and maintenance.

---

## πŸ”— Related Packages

This package is part of the **Hrithik.Security** ecosystem:

- **Hrithik.Security.ApiKeyManagement**  
  API key generation, storage, and scope-based authorization

- **Hrithik.Security.RequestSigning**  
  HMAC-based request signing for tamper-proof APIs

- **Hrithik.Security.ReplayProtection**  
  Short-window replay attack prevention

- **Hrithik.Security.RateLimiting**  
  Flexible, API-key–aware rate limiting for ASP.NET Core APIs

These packages are **independent** and can be used together or individually.

⚠️ Disclaimer

This library provides cryptographic primitives and enforcement rules.
Security of the overall system still depends on key management, transport security, and correct integration.

Always follow your organization’s security policies and compliance requirements.
Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.0.0 96 2/3/2026

Initial stable release.
Includes JWS (RS256/HS256) and JWE (RSA-OAEP + A256CBC-HS512).