chore(Security): Description fixed

- Benennung der perm-Datei aktualisiert.

.gitignore

@@ -410,3 +410,4 @@ FodyWeavers.xsd
 /DigitalData.Core.ConsoleApp/FooHttpOptions.cs
 /DigitalData.Core.Tests/obj/
 /DigitalData.Core.Terminal
+/DigitalData.Core.Tests.API

DigitalData.Core.API/BasicCRUDControllerBase.cs

@@ -7,7 +7,7 @@ namespace DigitalData.Core.API
     [ApiController]
     [Route("api/[controller]")]
     public class BasicCRUDControllerBase<TCRUDService, TDto, TEntity, TId> : CRUDControllerBase<TCRUDService, TDto, TDto, TDto, TEntity, TId>
-        where TCRUDService : ICRUDService<TDto, TDto, TDto, TEntity, TId>
+        where TCRUDService : ICRUDService<TDto, TDto, TEntity, TId>
         where TDto : class, IUnique<TId>
         where TEntity : class, IUnique<TId>
     {

DigitalData.Core.API/CRUDControllerBase.cs

@@ -11,13 +11,12 @@ namespace DigitalData.Core.API
     /// <typeparam name="TCRUDService">The derived CRUD service type implementing ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId>.</typeparam>
     /// <typeparam name="TCreateDto">The Data Transfer Object type for create operations.</typeparam>
     /// <typeparam name="TReadDto">The Data Transfer Object type for read operations.</typeparam>
-    /// <typeparam name="TUpdateDto">The Data Transfer Object type for update operations.</typeparam>
     /// <typeparam name="TEntity">The entity type CRUD operations will be performed on.</typeparam>
     /// <typeparam name="TId">The type of the entity's identifier.</typeparam>
     [ApiController]
     [Route("api/[controller]")]
     public class CRUDControllerBase<TCRUDService, TCreateDto, TReadDto, TUpdateDto, TEntity, TId> : ControllerBase
-        where TCRUDService : ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId>
+        where TCRUDService : ICRUDService<TCreateDto, TReadDto, TEntity, TId>
         where TCreateDto : class
         where TReadDto : class
         where TUpdateDto : class, IUnique<TId>

DigitalData.Core.API/CRUDControllerBaseWithErrorHandling.cs

@@ -12,13 +12,12 @@ namespace DigitalData.Core.API
     /// <typeparam name="TCRUDService">The derived CRUD service type implementing ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId>.</typeparam>
     /// <typeparam name="TCreateDto">The Data Transfer Object type for create operations.</typeparam>
     /// <typeparam name="TReadDto">The Data Transfer Object type for read operations.</typeparam>
-    /// <typeparam name="TUpdateDto">The Data Transfer Object type for update operations.</typeparam>
     /// <typeparam name="TEntity">The entity type CRUD operations will be performed on.</typeparam>
     /// <typeparam name="TId">The type of the entity's identifier.</typeparam>
     [ApiController]
     [Route("api/[controller]")]
     public class CRUDControllerBaseWithErrorHandling<TCRUDService, TCreateDto, TReadDto, TUpdateDto, TEntity, TId> : ControllerBase
-        where TCRUDService : ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId>
+        where TCRUDService : ICRUDService<TCreateDto, TReadDto, TEntity, TId>
         where TCreateDto : class
         where TReadDto : class
         where TUpdateDto : class, IUnique<TId>

DigitalData.Core.API/ControllerExtensions.cs

@@ -19,7 +19,7 @@ namespace DigitalData.Core.API
         /// <param name="index">The key in the ViewData dictionary where the value will be stored.</param>
         /// <param name="value">The value to be stored in the ViewData dictionary.</param>
         /// <returns>The same ViewResult object with updated ViewData, allowing for additional chained operations.</returns>
-        public static ViewResult WithData(this ViewResult viewResult, string index, object value)
+        public static ViewResult WithData(this ViewResult viewResult, string index, object? value)
         {
             viewResult.ViewData[index] = value;
             return viewResult;

DigitalData.Core.API/DigitalData.Core.API.csproj

@@ -8,7 +8,7 @@
     <OutputType>Library</OutputType>
     <Description>This package provides a comprehensive set of API controllers and related utilities for the DigitalData.Core library. It includes generic CRUD controllers, localization extensions, middleware for security policies, and application model conventions.</Description>
     <PackageId>DigitalData.Core.API</PackageId>
-    <Version>2.0.0.0</Version>
+    <Version>2.1.1</Version>
     <Authors>Digital Data GmbH</Authors>
     <Company>Digital Data GmbH</Company>
     <Product>DigitalData.Core.API</Product>
@@ -16,6 +16,8 @@
     <RepositoryUrl>http://git.dd:3000/AppStd/WebCoreModules.git</RepositoryUrl>
     <PackageTags>digital data core api</PackageTags>
     <PackageIcon>core_icon.png</PackageIcon>
+    <AssemblyVersion>2.1.1</AssemblyVersion>
+    <FileVersion>2.1.1</FileVersion>
   </PropertyGroup>
 
   <ItemGroup>

DigitalData.Core.Abstractions/Application/IBasicCRUDService.cs

@@ -15,7 +15,7 @@ namespace DigitalData.Core.Abstractions.Application
     /// This interface is useful for entities that do not require different DTOs for different operations,
     /// allowing for a more concise and maintainable codebase when implementing services for such entities.
     /// </remarks>
-    public interface IBasicCRUDService<TDto, TEntity, TId> : ICRUDService<TDto, TDto, TDto, TEntity, TId>
+    public interface IBasicCRUDService<TDto, TEntity, TId> : ICRUDService<TDto, TDto, TEntity, TId>
         where TDto : class, IUnique<TId> where TEntity : class, IUnique<TId>
     {
     }

DigitalData.Core.Abstractions/Application/ICRUDService.cs

@@ -2,8 +2,8 @@
 
 namespace DigitalData.Core.Abstractions.Application
 {
-    public interface ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId> : IReadService<TReadDto, TEntity, TId>
-        where TCreateDto : class where TReadDto : class where TUpdateDto : IUnique<TId> where TEntity : class, IUnique<TId>
+    public interface ICRUDService<TCreateDto, TReadDto, TEntity, TId> : IReadService<TReadDto, TEntity, TId>
+        where TCreateDto : class where TReadDto : class where TEntity : class, IUnique<TId>
     {
         /// <summary>
         /// Asynchronously creates a new entity based on the provided <paramref name="createDto"/> and returns the identifier of the created entity wrapped in a <see cref="DataResult{TId}"/>.
@@ -20,6 +20,6 @@ namespace DigitalData.Core.Abstractions.Application
         /// </summary>
         /// <param name="updateDto">The updateDTO with updated values for the entity.</param>
         /// <returns>An Result indicating the outcome of the update operation, with an appropriate message.</returns>
-        Task<Result> UpdateAsync(TUpdateDto updateDto);
+        Task<Result> UpdateAsync<TUpdateDto>(TUpdateDto updateDto) where TUpdateDto : IUnique<TId>;
     }
 }

DigitalData.Core.Abstractions/DigitalData.Core.Abstractions.csproj

@@ -9,7 +9,7 @@
 		<Authors>Digital Data GmbH</Authors>
 		<Company>Digital Data GmbH</Company>
 		<Product>DigitalData.Core.Abstractions</Product>
-		<Description>This package contains abstractions for the DigitalData.Core.Abstractions library, developed according to the principles of Clean Architecture. It promotes separation of concerns and enables independent core logic.</Description>
+		<Description>This package contains abstractions for the DigitalData.Core library, developed according to the principles of Clean Architecture. It promotes separation of concerns and enables independent core logic.</Description>
 		<PackageTags>digital data core abstractions clean architecture</PackageTags>
 		<GeneratePackageOnBuild>True</GeneratePackageOnBuild>
 		<Copyright>Copyright 2024</Copyright>
@@ -17,9 +17,9 @@
 		<RepositoryUrl>http://git.dd:3000/AppStd/WebCoreModules.git</RepositoryUrl>
 		<PackAsTool>False</PackAsTool>
 		<PackageIcon>core_icon.png</PackageIcon>
-		<Version>2.2.1</Version>
-		<AssemblyVersion>2.2.1</AssemblyVersion>
-		<FileVersion>2.2.1</FileVersion>
+		<Version>3.1.0</Version>
+		<AssemblyVersion>3.1.0</AssemblyVersion>
+		<FileVersion>3.1.0</FileVersion>
 	</PropertyGroup>
 
 	<ItemGroup>

DigitalData.Core.Abstractions/Security/IAsymmetricDecryptor.cs

@@ -0,0 +1,9 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricDecryptor : IAsymmetricPrivateKey
+    {
+        byte[] Decrypt(byte[] data);
+
+        IAsymmetricEncryptor Encryptor { get; }
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricEncryptor.cs

@@ -0,0 +1,7 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricEncryptor : IAsymmetricPublicKey
+    {
+        byte[] Encrypt(byte[] data);
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricKey.cs

@@ -0,0 +1,9 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricKey
+    {
+        string? Id { get; }
+
+        string Content { get; }
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricKeyFactory.cs

@@ -0,0 +1,23 @@
+using System.Security.Cryptography;
+
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricKeyFactory
+    {
+        string CreatePrivateKeyPem(int? keySizeInBits = null, bool encrypt = false);
+
+        string CreateEncryptedPrivateKeyPem(
+            PbeEncryptionAlgorithm? pbeEncryptionAlgorithm = null,
+            HashAlgorithmName? hashAlgorithmName = null,
+            int? iterationCount = null,
+            int? keySizeInBits = null,
+            string? password = null);
+
+        string CreateEncryptedPrivateKeyPem(
+            PbeParameters pbeParameters,
+            int? keySizeInBits = null,
+            string? password = null);
+
+        IAsymmetricDecryptor CreateDecryptor(string pem, string? issuer = null, string? audience = null, bool encrypt = false, RSAEncryptionPadding? padding = null);
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricPrivateKey.cs

@@ -0,0 +1,9 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricPrivateKey : IAsymmetricKey
+    {
+        bool IsEncrypted { get; }
+
+        IAsymmetricPublicKey PublicKey { get; }
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricPublicKey.cs

@@ -0,0 +1,6 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricPublicKey : IAsymmetricKey
+    {
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricTokenDescriptor.cs

@@ -0,0 +1,74 @@
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Abstractions.Security
+{
+    /// <summary>
+    /// Contains some information which used to create a security token. Designed to abstract <see cref="SecurityTokenDescriptor"/>
+    /// </summary>
+    public interface IAsymmetricTokenDescriptor : IAsymmetricPrivateKey, IUniqueSecurityContext
+    {
+        IAsymmetricTokenValidator Validator { get; }
+
+        TimeSpan Lifetime { get; init; }
+
+        #region SecurityTokenDescriptor Map
+        /// <summary>
+        /// Defines the compression algorithm that will be used to compress the JWT token payload.
+        /// </summary>
+        string CompressionAlgorithm { get; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="EncryptingCredentials"/> used to create a encrypted security token.
+        /// </summary>
+        EncryptingCredentials EncryptingCredentials { get; }
+
+        /// <summary>
+        /// Gets or sets the value of the 'expiration' claim. This value should be in UTC.
+        /// </summary>
+        DateTime? Expires { get; }
+
+        /// <summary>
+        /// Gets or sets the time the security token was issued. This value should be in UTC.
+        /// </summary>
+        DateTime? IssuedAt { get; }
+
+        /// <summary>
+        /// Gets or sets the notbefore time for the security token. This value should be in UTC.
+        /// </summary>
+        DateTime? NotBefore { get; }
+
+        /// <summary>
+        /// Gets or sets the token type.
+        /// <remarks> If provided, this will be added as the value for the 'typ' header parameter. In the case of a JWE, this will be added to both the inner (JWS) and the outer token (JWE) header. By default, the value used is 'JWT'.
+        /// If <see cref="AdditionalHeaderClaims"/> also contains 'typ' header claim value, it will override the TokenType provided here.
+        /// This value is used only for JWT tokens and not for SAML/SAML2 tokens</remarks>
+        /// </summary>
+        string TokenType { get; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="Dictionary{TKey, TValue}"/> which contains any custom header claims that need to be added to the JWT token header.
+        /// The 'alg', 'kid', 'x5t', 'enc', and 'zip' claims are added by default based on the <see cref="SigningCredentials"/>,
+        /// <see cref="EncryptingCredentials"/>, and/or <see cref="CompressionAlgorithm"/> provided and SHOULD NOT be included in this dictionary as this
+        /// will result in an exception being thrown. 
+        /// <remarks> These claims are only added to the outer header (in case of a JWE).</remarks>
+        /// </summary>
+        IDictionary<string, object> AdditionalHeaderClaims { get; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="Dictionary{TKey, TValue}"/> which contains any custom header claims that need to be added to the inner JWT token header.
+        /// The 'alg', 'kid', 'x5t', 'enc', and 'zip' claims are added by default based on the <see cref="SigningCredentials"/>,
+        /// <see cref="EncryptingCredentials"/>, and/or <see cref="CompressionAlgorithm"/> provided and SHOULD NOT be included in this dictionary as this
+        /// will result in an exception being thrown. 
+        /// <remarks>
+        /// For JsonWebTokenHandler, these claims are merged with <see cref="AdditionalHeaderClaims"/> while adding to the inner JWT header.
+        /// </remarks>
+        /// </summary>
+        IDictionary<string, object> AdditionalInnerHeaderClaims { get; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="SigningCredentials"/> used to create a security token.
+        /// </summary>
+        SigningCredentials SigningCredentials { get; }
+        #endregion SecurityTokenDescriptor
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricTokenValidator.cs

@@ -0,0 +1,9 @@
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricTokenValidator : IAsymmetricPublicKey
+    {
+        SecurityKey SecurityKey { get; }
+    }
+}

DigitalData.Core.Abstractions/Security/ICryptFactory.cs

@@ -1,48 +0,0 @@
-using System.Security.Cryptography;
-
-namespace DigitalData.Core.Abstractions.Security
-{
-    public interface ICryptFactory
-    {
-        int KeySizeInBits { get; init; }
-
-        string PbePassword { init; }
-
-        PbeEncryptionAlgorithm PbeEncryptionAlgorithm { get; init; }
-
-        HashAlgorithmName PbeHashAlgorithmName { get; init; }
-
-        int PbeIterationCount { get; init; }
-
-        PbeParameters PbeParameters { get; }
-
-        string EncryptedPrivateKeyPemLabel { get; init; }
-
-        /// <summary>
-        /// Gets the formatter function for generating RSA key names.
-        /// This formatter takes an issuer, audience, isPrivate, and optional version and separator
-        /// to produce a formatted string used for the key naming convention.
-        /// </summary>
-        /// <param name="issuer">A string representing the issuer of the key. It should not contain invalid file name characters or the separator.</param>
-        /// <param name="audience">A string representing the audience for which the key is intended. It should not contain invalid file name characters or the separator.</param>
-        /// <param name="isPrivate">An bool to check if the key is private.</param>
-        /// <param name="version">An instance of the <see cref="Version?"/> interface, which is used to keep the version of Pbe password.</param>
-        /// <param name="separator">An optional string separator used to separate the issuer and audience. The default is "-_-". It should not be included in the issuer or audience strings.</param>
-        /// <returns>A formatted string combining the issuer, audience, and separator, which adheres to valid file naming rules.</returns>
-        /// <exception cref="ArgumentException">Thrown when the issuer, audience, or separator contains invalid characters or when the separator is present within the issuer or audience.</exception>
-        Func<string, string, bool, Version?, string?, string> RSAKeyNameFormatter { get; }
-
-        string CreateRSAPrivateKeyPem(int? keySizeInBits = null);
-
-        string CreateEncryptedPrivateKeyPem(
-            int? keySizeInBits = null,
-            string? password = null,
-            PbeEncryptionAlgorithm? pbeEncryptionAlgorithm = null,
-            HashAlgorithmName? hashAlgorithmName = null,
-            int? iterationCount = null);
-        
-        IRSADecryptor this[string key] { get; }
-
-        bool TryGetRSADecryptor(string key, out IRSADecryptor? decryptor);
-    }
-}

DigitalData.Core.Abstractions/Security/ICryptoFactory.cs

@@ -0,0 +1,11 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface ICryptoFactory : IAsymmetricKeyFactory
+    {
+        IEnumerable<IAsymmetricDecryptor> Decryptors { get; }
+
+        IAsymmetricDecryptor VaultDecryptor { get; }
+
+        IEnumerable<IAsymmetricTokenDescriptor> TokenDescriptors { get; }
+    }
+}

DigitalData.Core.Abstractions/Security/IJwtSignatureHandler.cs

@@ -0,0 +1,15 @@
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IJwtSignatureHandler<TPrincipal>
+    {
+        SecurityToken CreateToken(SecurityTokenDescriptor tokenDescriptor);
+
+        SecurityToken CreateToken(TPrincipal subject, IAsymmetricTokenDescriptor descriptor);
+
+        SecurityToken CreateToken(TPrincipal subject, string issuer, string audience);
+
+        string WriteToken(SecurityToken token);
+    }
+}

DigitalData.Core.Abstractions/Security/IRSACryptographer.cs

@@ -1,11 +0,0 @@
-using System.Security.Cryptography;
-
-namespace DigitalData.Core.Abstractions.Security
-{
-    public interface IRSACryptographer
-    {
-        public string Pem { get; init; }
-
-        public RSAEncryptionPadding Padding { get; init; }
-    }
-}

DigitalData.Core.Abstractions/Security/IRSADecryptor.cs

@@ -1,17 +0,0 @@
-namespace DigitalData.Core.Abstractions.Security
-{
-    public interface IRSADecryptor : IRSACryptographer
-    {
-        (string Value, Version Version)? VersionedPassword { init; }
-
-        Version? PasswordVersion { get; }
-
-        bool HasEncryptedPem { get; }
-
-        IRSAEncryptor Encryptor { get; }
-
-        byte[] Decrypt(byte[] data);
-
-        string Decrypt(string data);
-    }
-}

DigitalData.Core.Abstractions/Security/IRSAEncryptor.cs

@@ -1,11 +0,0 @@
-namespace DigitalData.Core.Abstractions.Security
-{
-    public interface IRSAEncryptor : IRSACryptographer
-    {
-        public byte[] Encrypt(byte[] data);
-
-        public string Encrypt(string data);
-
-        public bool Verify(string data, string signature) => Encrypt(data) == signature;
-    }
-}

DigitalData.Core.Abstractions/Security/IUniqueSecurityContext.cs

@@ -0,0 +1,24 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    /// <summary>
+    /// Represents a unique security context that identifies an issuer and an audience.
+    /// </summary>
+    public interface IUniqueSecurityContext
+    {
+        /// <summary>
+        /// Gets the issuer identifier for this security context.
+        /// </summary>
+        /// <remarks>
+        /// The issuer typically represents the entity that issues a token or a cryptographic key.
+        /// </remarks>
+        string Issuer { get; }
+
+        /// <summary>
+        /// Gets the audience identifier for this security context.
+        /// </summary>
+        /// <remarks>
+        /// The audience typically represents the intended recipient or target of a token or cryptographic operation.
+        /// </remarks>
+        string Audience { get; }
+    }
+}

DigitalData.Core.Abstractions/Security/SecurityExtensions.cs

@@ -0,0 +1,62 @@
+using Microsoft.IdentityModel.Tokens;
+using System.Text;
+
+namespace DigitalData.Core.Abstractions.Security
+{
+    public static class SecurityExtensions
+    {
+        #region Unique Security Context
+        public static IEnumerable<TUniqueSecurityContext> GetByIssuer<TUniqueSecurityContext>(this IEnumerable<TUniqueSecurityContext> contextes, string issuer) where TUniqueSecurityContext: IUniqueSecurityContext
+            => contextes.Where(c => c.Issuer == issuer);
+
+        public static IEnumerable<TUniqueSecurityContext> GetByAudience<TUniqueSecurityContext>(this IEnumerable<TUniqueSecurityContext> contextes, string audience) where TUniqueSecurityContext : IUniqueSecurityContext
+            => contextes.Where(c => c.Audience == audience);
+
+        public static TUniqueSecurityContext Get<TUniqueSecurityContext>(this IEnumerable<TUniqueSecurityContext> contextes, string issuer, string audience) where TUniqueSecurityContext : IUniqueSecurityContext
+            => contextes.Where(c => c.Issuer == issuer && c.Audience == audience).SingleOrDefault()
+            ?? throw new InvalidOperationException($"Exactly one {typeof(TUniqueSecurityContext).Name} must exist with Issuer: '{issuer}' and Audience: '{audience}'.");
+
+        public static bool TryGet<TUniqueSecurityContext>(this IEnumerable<TUniqueSecurityContext> contextes, string issuer, string audience, out TUniqueSecurityContext context) where TUniqueSecurityContext : IUniqueSecurityContext
+        {
+#pragma warning disable CS8601 // Possible null reference assignment.
+            context = contextes.SingleOrDefault(c => c.Issuer == issuer && c.Audience == audience);
+#pragma warning restore CS8601 // Possible null reference assignment.
+            return context is not null;
+        }
+
+        public static TUniqueSecurityContext Match<TUniqueSecurityContext>(this IEnumerable<TUniqueSecurityContext> contextes, IUniqueSecurityContext lookupContext) where TUniqueSecurityContext : IUniqueSecurityContext
+            => contextes.Get(lookupContext.Issuer, lookupContext.Audience);
+
+        public static bool TryMatch<TUniqueSecurityContext>(this IEnumerable<TUniqueSecurityContext> contextes, IUniqueSecurityContext lookupContext, out TUniqueSecurityContext context) where TUniqueSecurityContext : IUniqueSecurityContext
+            => contextes.TryGet(lookupContext.Issuer, lookupContext.Audience, out context);
+        #endregion Unique Security Context
+
+        #region De/serilization
+        internal static byte[] Base64ToByte(this string base64String) => Convert.FromBase64String(base64String);
+
+        internal static string BytesToString(this byte[] bytes) => Encoding.UTF8.GetString(bytes);
+
+        internal static string ToBase64String(this byte[] bytes) => Convert.ToBase64String(bytes);
+
+        internal static byte[] ToBytes(this string str) => System.Text.Encoding.UTF8.GetBytes(str);
+
+        public static string Decrypt(this IAsymmetricDecryptor decryptor, string data) => decryptor
+            .Decrypt(data.Base64ToByte()).BytesToString();
+        #endregion De/serilization
+
+        #region Asymmetric Encryptor
+        public static string Encrypt(this IAsymmetricEncryptor encryptor, string data) => encryptor.Encrypt(data.ToBytes()).ToBase64String();
+        #endregion Asymmetric Encryptor
+
+        #region Jwt Signature Handler
+        public static string WriteToken<TPrincipal>(this IJwtSignatureHandler<TPrincipal> handler, SecurityTokenDescriptor descriptor)
+            => handler.WriteToken(handler.CreateToken(descriptor));
+
+        public static string WriteToken<TPrincipal>(this IJwtSignatureHandler<TPrincipal> handler, TPrincipal subject, IAsymmetricTokenDescriptor descriptor)
+            => handler.WriteToken(handler.CreateToken(subject: subject, descriptor: descriptor));
+
+        public static string WriteToken<TPrincipal>(this IJwtSignatureHandler<TPrincipal> handler, TPrincipal subject, string issuer, string audience)
+            => handler.WriteToken(handler.CreateToken(subject: subject, issuer: issuer, audience: audience));
+        #endregion Jwt Signature Handler
+    }
+}

DigitalData.Core.Application/BasicCRUDService.cs

@@ -19,7 +19,7 @@ namespace DigitalData.Core.Application
     /// and a culture-specific translation service for any necessary text translations, ensuring a versatile and internationalized approach to CRUD operations.
     /// </remarks>
     public class BasicCRUDService<TCRUDRepository, TDto, TEntity, TId> :
-        CRUDService<TCRUDRepository, TDto, TDto, TDto, TEntity, TId>, IBasicCRUDService<TDto, TEntity, TId>
+        CRUDService<TCRUDRepository, TDto, TDto, TEntity, TId>, IBasicCRUDService<TDto, TEntity, TId>
          where TCRUDRepository : ICRUDRepository<TEntity, TId> where TDto : class, IUnique<TId> where TEntity : class, IUnique<TId>
     {
         /// <summary>

DigitalData.Core.Application/CRUDService.cs

@@ -12,11 +12,10 @@ namespace DigitalData.Core.Application
     /// </summary>
     /// <typeparam name="TCreateDto">The DTO type for create operations.</typeparam>
     /// <typeparam name="TReadDto">The DTO type for read operations.</typeparam>
-    /// <typeparam name="TUpdateDto">The DTO type for update operations.</typeparam>
     /// <typeparam name="TEntity">The entity type.</typeparam>
     /// <typeparam name="TId">The type of the identifier for the entity.</typeparam>
-    public class CRUDService<TCRUDRepository, TCreateDto, TReadDto, TUpdateDto, TEntity, TId> : ReadService<TCRUDRepository, TReadDto, TEntity, TId>, ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId>
-        where TCRUDRepository : ICRUDRepository<TEntity, TId> where TCreateDto : class where TReadDto : class where TUpdateDto : IUnique<TId> where TEntity : class, IUnique<TId>
+    public class CRUDService<TCRUDRepository, TCreateDto, TReadDto, TEntity, TId> : ReadService<TCRUDRepository, TReadDto, TEntity, TId>, ICRUDService<TCreateDto, TReadDto, TEntity, TId>
+        where TCRUDRepository : ICRUDRepository<TEntity, TId> where TCreateDto : class where TReadDto : class where TEntity : class, IUnique<TId>
     {
 
         /// <summary>
@@ -45,7 +44,7 @@ namespace DigitalData.Core.Application
         /// </summary>
         /// <param name="updateDto">The DTO to update an entity from.</param>
         /// <returns>A service message indicating success or failure.</returns>
-        public virtual async Task<Result> UpdateAsync(TUpdateDto updateDto)
+        public virtual async Task<Result> UpdateAsync<TUpdateDto>(TUpdateDto updateDto) where TUpdateDto : IUnique<TId>
         {
             var currentEntitiy = await _repository.ReadByIdAsync(updateDto.Id);
 

DigitalData.Core.Application/DIExtensions.cs

@@ -40,7 +40,6 @@ namespace DigitalData.Core.Application
         /// <typeparam name="TCRUDRepository">The repository type that provides CRUD operations for entities of type TEntity.</typeparam>
         /// <typeparam name="TCreateDto">The DTO type used for create operations.</typeparam>
         /// <typeparam name="TReadDto">The DTO type used for read operations.</typeparam>
-        /// <typeparam name="TUpdateDto">The DTO type used for update operations.</typeparam>
         /// <typeparam name="TEntity">The entity type corresponding to the DTOs.</typeparam>
         /// <typeparam name="TId">The type of the entity's identifier.</typeparam>
         /// <typeparam name="TProfile">The AutoMapper profile type for configuring mappings between the DTOs and the entity.</typeparam>
@@ -48,9 +47,9 @@ namespace DigitalData.Core.Application
         /// <param name="configureService">An optional action to configure additional services for the CRUD service.</param>
         /// <returns>The original <see cref="IServiceCollection"/> instance, allowing further configuration.</returns>
         public static IServiceCollection AddCleanCRUDService<TCRUDRepository, TCreateDto, TReadDto, TUpdateDto, TEntity, TId, TProfile>(this IServiceCollection services, Action<IServiceCollection>? configureService = null)
-            where TCRUDRepository : ICRUDRepository<TEntity, TId> where TCreateDto : class where TReadDto : class where TUpdateDto : class, IUnique<TId> where TEntity : class, IUnique<TId> where TProfile : Profile
+            where TCRUDRepository : ICRUDRepository<TEntity, TId> where TCreateDto : class where TReadDto : class, IUnique<TId> where TEntity : class, IUnique<TId> where TProfile : Profile
         {
-            services.AddScoped<ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId>, CRUDService<TCRUDRepository, TCreateDto, TReadDto, TUpdateDto, TEntity, TId>>();
+            services.AddScoped<ICRUDService<TCreateDto, TReadDto, TEntity, TId>, CRUDService<TCRUDRepository, TCreateDto, TReadDto, TEntity, TId>>();
             configureService?.Invoke(services);
 
             services.AddAutoMapper(typeof(TProfile).Assembly);

DigitalData.Core.Application/DigitalData.Core.Application.csproj

@@ -14,7 +14,9 @@
     <PackageIcon>core_icon.png</PackageIcon>
     <RepositoryUrl>http://git.dd:3000/AppStd/WebCoreModules.git</RepositoryUrl>
     <PackageTags>digital data core application clean architecture</PackageTags>
-    <Version>2.0.0.0</Version>
+    <Version>3.0.1</Version>
+    <AssemblyVersion>3.0.1</AssemblyVersion>
+    <FileVersion>3.0.1</FileVersion>
   </PropertyGroup>
 
   <ItemGroup>

DigitalData.Core.Client/BaseHttpClientService.cs

@@ -86,7 +86,7 @@ namespace DigitalData.Core.Client
             {
                 var query = HttpUtility.ParseQueryString(uriBuilder.Query);
 
-                var flagParams = queryParams.Where(param => param.Value is null).Select(param => HttpUtility.UrlEncode(param.Key));
+                var flagParams = queryParams.Where(param => param.Value is null).Select(param => param.Key);
 
                 var valueParams = queryParams.Where(param => param.Value is not null);
 
@@ -94,12 +94,12 @@ namespace DigitalData.Core.Client
                     query[param.Key] = param.Value switch
                     {
                         bool b => b.ToString().ToLower(),
-                        _ => HttpUtility.UrlEncode(param.Value.ToString())
+                        _ => param.Value.ToString()
                     };
 
-                var flagQuery = string.Join(QUERY_SEPARATOR, flagParams);
-
-                uriBuilder.Query = string.Join(QUERY_SEPARATOR, query.ToString(), flagQuery);
+                if (flagParams.Any())
+                    uriBuilder.Query = string.Join(QUERY_SEPARATOR, query.ToString(), string.Join(QUERY_SEPARATOR, flagParams));
+                else uriBuilder.Query = query.ToString();
             }
 
             var requestUri = uriBuilder.Uri;

DigitalData.Core.Client/DigitalData.Core.Client.csproj

@@ -6,7 +6,7 @@
     <Nullable>enable</Nullable>
     <Description>This package provides HTTP client extension methods for the DigitalData.Core library, offering simplified and asynchronous methods for fetching and handling HTTP responses. It includes utility methods for sending GET requests, reading response content as text or JSON, and deserializing JSON into dynamic or strongly-typed objects using Newtonsoft.Json. These extensions facilitate efficient and easy-to-read HTTP interactions in client applications.</Description>
     <PackageId>DigitalData.Core.Client</PackageId>
-    <Version>2.0.1</Version>
+    <Version>2.0.3</Version>
     <Authors>Digital Data GmbH</Authors>
     <Company>Digital Data GmbH</Company>
     <Product>Digital Data GmbH</Product>
@@ -15,8 +15,8 @@
     <PackageIcon>core_icon.png</PackageIcon>
     <RepositoryUrl>http://git.dd:3000/AppStd/WebCoreModules.git</RepositoryUrl>
     <PackageTags>digital data core http client json serilization</PackageTags>
-    <AssemblyVersion>2.0.1</AssemblyVersion>
-    <FileVersion>2.0.1</FileVersion>
+    <AssemblyVersion>2.0.3</AssemblyVersion>
+    <FileVersion>2.0.3</FileVersion>
   </PropertyGroup>
 
   <ItemGroup>

DigitalData.Core.Security.Extensions/DigitalData.Core.Security.Extensions.csproj

@@ -1,13 +0,0 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFrameworks>net7.0;net8.0</TargetFrameworks>
-    <ImplicitUsings>enable</ImplicitUsings>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\DigitalData.Core.Abstractions\DigitalData.Core.Abstractions.csproj" />
-  </ItemGroup>
-
-</Project>

DigitalData.Core.Security.Extensions/Extensions.cs

@@ -1,13 +0,0 @@
-namespace DigitalData.Core.Security.Extensions
-{
-    public static class Extensions
-    {
-        public static string ToBase64String(this byte[] bytes) => Convert.ToBase64String(bytes);
-
-        public static byte[] Base64ToByte(this string base64String) => Convert.FromBase64String(base64String);
-
-        public static byte[] ToBytes(this string str) => System.Text.Encoding.UTF8.GetBytes(str);
-
-        public static string BytesToString(this byte[] bytes) => System.Text.Encoding.UTF8.GetString(bytes);
-    }
-}

DigitalData.Core.Security.Extensions/RSAExtensions.cs

@@ -1,66 +0,0 @@
-using DigitalData.Core.Abstractions.Security;
-using System.Collections.Concurrent;
-using System.Security.Cryptography;
-
-namespace DigitalData.Core.Security.Extensions
-{
-    public static class RSAExtensions
-    {
-        public static RSA ToRSA(this string pem)
-        {
-            var rsa = RSA.Create();
-            rsa.ImportFromPem(pem);
-            return rsa;
-        }
-
-        public static IRSADecryptor GetRSADecryptor(this ICryptFactory factory, string issuer, string audience, Version? version = null, string? seperator = null)
-            => factory[factory.RSAKeyNameFormatter(issuer, audience, true, version, seperator)];
-
-        public static bool TryGetRSADecryptor(this ICryptFactory factory, string issuer, string audience, out IRSADecryptor? decryptor, Version? version = null, string? seperator = null)
-            => factory.TryGetRSADecryptor(factory.RSAKeyNameFormatter(issuer, audience, true, version, seperator), out decryptor);
-
-        private static string CreatePath(string filename, string? directory = null)
-        {
-            directory ??= Environment.CurrentDirectory;
-
-            if (!Directory.Exists(directory))
-            {
-                Directory.CreateDirectory(directory);
-            }
-
-            return Path.Combine(directory, $"{filename}.pem");
-        }
-
-        private static readonly ConcurrentDictionary<string, SemaphoreSlim> FileLocks = new();
-
-        public static void SavePem(this IRSACryptographer decryptor, string key, string? directory = null)
-        {
-            var filePath = CreatePath(filename: key, directory : directory);
-            var fileLock = FileLocks.GetOrAdd(filePath, _ => new (1, 1));
-            fileLock.Wait();
-            try
-            {
-                File.WriteAllText(filePath, decryptor.Pem);
-            }
-            finally
-            {
-                fileLock.Release();
-            }
-        }
-
-        public static async Task SavePemAsync(this IRSACryptographer decryptor, string key, string? directory = null)
-        {
-            var filePath = CreatePath(filename: key, directory: directory);
-            var fileLock = FileLocks.GetOrAdd(filePath, _ => new (1, 1));
-            await fileLock.WaitAsync();
-            try
-            {
-                await File.WriteAllTextAsync(filePath, decryptor.Pem);
-            }
-            finally
-            {
-                fileLock.Release();
-            }
-        }
-    }
-}

DigitalData.Core.Security/Config/ClaimDescriptor.cs

@@ -0,0 +1,11 @@
+using System.Security.Claims;
+
+namespace DigitalData.Core.Security.Config
+{
+    public class ClaimDescriptor<TPrincipal>
+    {
+        public Func<TPrincipal, IDictionary<string, object>>? CreateClaims { get; init; }
+
+        public Func<TPrincipal, ClaimsIdentity>? CreateSubject { get; init; }
+    }
+}

DigitalData.Core.Security/Config/CryptoFactoryParams.cs

@@ -0,0 +1,104 @@
+using DigitalData.Core.Security.RSAKey;
+
+namespace DigitalData.Core.Security.Config
+{
+    public class CryptoFactoryParams : RSAFactoryParams
+    {
+        public string PemDirectory { get; init; } = string.Empty;
+
+        /// <summary>
+        /// Represents the separator used to concatenate the components of a file-related token string.
+        /// </summary>
+        /// <remarks>
+        /// The resulting file-related token string is constructed as follows:
+        /// <c>string.Join(FileNameSeparator, Issuer, Audience, Secret_version)</c>.
+        /// If <c>Secret_version</c> is not null, it will be included in the concatenation.
+        /// </remarks>
+        /// <example>
+        /// For example, if <c>FileNameSeparator = "_-_"</c>, the output might look like:
+        /// <c>"Issuer_-_Audience_-_Secret_version"</c>.
+        /// </example>
+        public string FileNameSeparator { get; init; } = "_-_";
+
+        public string FileExtension { get; init; } = "pem";
+
+        /// <summary>
+        ///This is the subtext of the pem file name. For the file to be automatically renewed, the name must be assigned to change periodically. For example, by default MM/2 will be refreshed every 2 months.
+        /// <br />
+        /// - <see cref="StringExtensions.ToTag(DateTime, string)" /> is used when converting to tag.
+        /// <br />
+        /// - If the format contains the symbol “//”, the method divides the numeric value obtained from the left side of the format
+        ///   by one minus the numeric value obtained from the right side of the format string and adds one. For instance:
+        /// <br />
+        /// - If the date is 02.03.2024 and the format is "MM//2", it extracts the month (02), subtracts one (3), divides it by 2,
+        ///   rounds down the outgoing number (1), adds one to the number (resulting in 2).
+        ///   <br />
+        /// - If the format does not contain "//", the method uses the default <see cref="DateTime.ToString"/> format.
+        /// <br />
+        /// This method provides a way to format the date based on typical or customized rules, including mathematical operations like division.
+        /// </summary>
+        public string DateTagFormat { get; init; } = "MM//2";
+
+        public IEnumerable<RSADecryptor> Decryptors { get; init; } = new List<RSADecryptor>();
+
+        public IEnumerable<RSATokenDescriptor> TokenDescriptors { get; init; } = new List<RSATokenDescriptor>();
+
+        public RSADecryptor? VaultDecryptor { get; init; }
+
+        public CryptoFactoryParams()
+        {
+            // init decryptors
+            AfterCreate += () =>
+            {
+                // Create root folder if it does not exist
+                if (!Directory.Exists(PemDirectory))
+                    Directory.CreateDirectory(PemDirectory);
+
+                var privateKeys = new List<RSAPrivateKey>();
+                privateKeys.AddRange(Decryptors);
+                privateKeys.AddRange(TokenDescriptors);
+                if (VaultDecryptor is not null)
+                    privateKeys.Add(VaultDecryptor);
+
+                foreach (var privateKey in privateKeys)
+                {
+                    // set default path
+                    if (privateKey.IsPemNull)
+                    {
+                        // file name 
+                        var file_name_params = new List<object>();
+
+                        if (privateKey.Id is not null)
+                            file_name_params.Add(privateKey.Id);
+                        else if (privateKey is RSATokenDescriptor descriptor)
+                            file_name_params.Add(descriptor.Issuer);
+
+                        file_name_params.Add(KeySizeInBits);
+                        file_name_params.Add(DateTime.Now.ToTag(DateTagFormat));
+
+                        if (privateKey.IsEncrypted)
+                            file_name_params.Add(Secrets.Version);
+
+                        var file_name = $"{string.Join(FileNameSeparator, file_name_params)}.{FileExtension}";
+
+                        var path = Path.Combine(PemDirectory, file_name);
+
+                        if (File.Exists(path))
+                            privateKey.SetPem(File.ReadAllText(path));
+                        else
+                        {
+                            var pem = privateKey.IsEncrypted
+                                ? Instance.RSAFactory.CreateEncryptedPrivateKeyPem(pbeParameters: PbeParameters, keySizeInBits: KeySizeInBits, password: Secrets.PBE_PASSWORD)
+                                : Instance.RSAFactory.CreatePrivateKeyPem(keySizeInBits: KeySizeInBits);
+
+                            privateKey.SetPem(pem);
+
+                            // Save file in background
+                            Task.Run(async () => await File.WriteAllTextAsync(path: path, pem));
+                        }
+                    }
+                }
+            };
+        }
+    }
+}

DigitalData.Core.Security/Config/MappingProfile.cs

@@ -0,0 +1,14 @@
+using AutoMapper;
+using DigitalData.Core.Abstractions.Security;
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Security.Config
+{
+    public class MappingProfile : Profile
+    {
+        public MappingProfile()
+        {
+            CreateMap<IAsymmetricTokenDescriptor, SecurityTokenDescriptor>();
+        }
+    }
+}

DigitalData.Core.Security/Config/ParamsConfigureOptions.cs

@@ -0,0 +1,9 @@
+using Microsoft.Extensions.Options;
+
+namespace DigitalData.Core.Security.Config
+{
+    public class ParamsConfigureOptions<TParams> : IConfigureOptions<TParams> where TParams : RSAFactoryParams
+    {
+        public void Configure(TParams options) => options.Init();
+    }
+}

DigitalData.Core.Security/Config/RSAFactoryParams.cs

@@ -0,0 +1,59 @@
+using System.Reflection;
+using System.Security.Cryptography;
+using System.Text.Json.Serialization;
+
+namespace DigitalData.Core.Security.Config
+{
+    public class RSAFactoryParams : IJsonOnDeserialized
+    {
+        public int KeySizeInBits { get; init; } = 2048;
+
+        public string PbePassword { internal get; init; } = Secrets.PBE_PASSWORD;
+
+        public PbeEncryptionAlgorithm PbeEncryptionAlgorithm { get; init; } = PbeEncryptionAlgorithm.Aes256Cbc;
+
+        public HashAlgorithmName PbeHashAlgorithm { get; init; } = HashAlgorithmName.SHA256;
+
+        // TODO: add as json converter to IConfigurIConfiguration.Config
+        public string PbeHashAlgorithmName
+        {
+            get => PbeHashAlgorithm.ToString();
+            init => PbeHashAlgorithm = (typeof(HashAlgorithmName).GetProperty(value, BindingFlags.Public | BindingFlags.Static)?.GetValue(null) is HashAlgorithmName hashAlgorithmName)
+                ? hashAlgorithmName
+                : new(value);            
+        }
+
+        public int PbeIterationCount { get; init; } = 100_000;
+
+        public string EncryptedPrivateKeyPemLabel { get; init; } = "ENCRYPTED PRIVATE KEY";
+
+        private PbeParameters? _pbeParameters;
+
+        [JsonIgnore]
+        public PbeParameters PbeParameters => _pbeParameters!;
+
+        /// <summary>
+        /// Provides a thread-safe initialization mechanism using Lazy initialization.
+        /// </summary>
+        private readonly Lazy<bool> _lazyInitializer;
+
+        public bool IsInitialized => _lazyInitializer.IsValueCreated;
+
+        public RSAFactoryParams()
+        {
+            _lazyInitializer = new(() =>
+            {
+                AfterCreate?.Invoke();
+                return true;
+            });
+
+            AfterCreate += () => _pbeParameters = new PbeParameters(PbeEncryptionAlgorithm, PbeHashAlgorithm, PbeIterationCount);
+        }
+
+        protected event Action AfterCreate;
+
+        public void Init() => _ = _lazyInitializer.Value;
+        
+        public void OnDeserialized() => Init();
+    }
+}

DigitalData.Core.Security/CryptFactory.cs

@@ -1,25 +0,0 @@
-using DigitalData.Core.Abstractions.Security;
-using Microsoft.Extensions.Logging;
-
-namespace DigitalData.Core.Security
-{
-    public class CryptFactory : RSAFactory, ICryptFactory
-    {
-        private readonly IDictionary<string, IRSADecryptor> _decryptors;
-
-        public IRSADecryptor this[string key] { get => _decryptors[key]; set => _decryptors[key] = value; }
-
-        public Func<string, string, bool, Version?, string?, string> RSAKeyNameFormatter { get; }
-
-        public CryptFactory(ILogger<CryptFactory> logger, IDictionary<string, IRSADecryptor> decryptors, Func<string, string, bool, Version?, string?, string> rsaKeyNameFormatter) : base()
-        {
-            _decryptors = decryptors ?? new Dictionary<string, IRSADecryptor>();
-
-            RSAKeyNameFormatter = rsaKeyNameFormatter;
-
-            logger?.LogInformation("Core.Secrets version: {Version}, Created on: {CreationDate}.", Secrets.Version, Secrets.CreationDate.ToString("dd.MM.yyyy"));
-        }
-
-        public bool TryGetRSADecryptor(string key, out IRSADecryptor? decryptor) => _decryptors.TryGetValue(key, out decryptor);
-    }
-}

DigitalData.Core.Security/CryptoFactory.cs

@@ -0,0 +1,38 @@
+using DigitalData.Core.Abstractions.Security;
+using DigitalData.Core.Security.Config;
+using DigitalData.Core.Security.RSAKey;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+ 
+namespace DigitalData.Core.Security
+{
+    public class CryptoFactory : RSAFactory<CryptoFactoryParams>, ICryptoFactory, IAsymmetricKeyFactory
+    {
+        public IEnumerable<IAsymmetricDecryptor> Decryptors { get; }
+        
+        /// <summary>
+        /// It is a separate decryptor for permanently stored encrypted data. It is assigned to the first Default decryptor by default.
+        /// </summary>
+        public IAsymmetricDecryptor VaultDecryptor { get; }
+
+        public IEnumerable<IAsymmetricTokenDescriptor> TokenDescriptors { get; init; } = new List<IAsymmetricTokenDescriptor>();
+
+        public CryptoFactory(IOptions<CryptoFactoryParams> options, ILogger<CryptoFactory>? logger = null) : base(options)
+        {
+            logger?.LogInformation("Core.Secrets version: {Version}, Created on: {CreationDate}.", Secrets.Version, Secrets.CreationDate.ToString("dd.MM.yyyy"));
+
+            if (!_params.Decryptors.Any())
+                throw new InvalidOperationException(
+                    "Any decryptor is not found. Ensure that at least one decryptor is configured in the provided parameters. " +
+                    "This issue typically arises if the configuration for decryptors is incomplete or missing. " +
+                    "Check the 'Decryptors' collection in the configuration and verify that it contains valid entries."
+                );
+
+            Decryptors = _params.Decryptors;
+
+            TokenDescriptors = _params.TokenDescriptors;
+
+            VaultDecryptor = _params.VaultDecryptor ?? Decryptors.First();
+        }
+    }
+}

DigitalData.Core.Security/DIExtensions.cs

@@ -1,16 +1,71 @@
 using DigitalData.Core.Abstractions.Security;
+using DigitalData.Core.Security.Config;
+using DigitalData.Core.Security.RSAKey;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Options;
+using System.Security.Claims;
 
 namespace DigitalData.Core.Security
 {
     public static class DIExtensions
     {
-        public static IServiceCollection AddSecurity(this IServiceCollection services)
-        {
-            services.TryAddScoped<ICryptFactory, CryptFactory>();
+        private static IServiceCollection AddParamsConfigureOptions<TParams>(this IServiceCollection services) where TParams : RSAFactoryParams
+            => services.AddSingleton<IConfigureOptions<TParams>, ParamsConfigureOptions<TParams>>();
 
-            return services;
+        private static IServiceCollection AddCryptoFactory(this IServiceCollection services) => services
+            .AddParamsConfigureOptions<CryptoFactoryParams>()
+            .AddAutoMapper(typeof(MappingProfile).Assembly)
+            .AddSingleton<ICryptoFactory, CryptoFactory>();
+
+        /// <summary>
+        /// Registers a custom asym crypt service with specified parameters from the given configuration section.
+        /// </summary>
+        /// <param name="services"></param>
+        /// <param name="section"></param>
+        /// <returns>The updated <see cref="IServiceCollection"/> with the RSA Factory registered.</returns>
+        public static IServiceCollection AddCryptoFactory(this IServiceCollection services, IConfigurationSection section) => services
+            .Configure<CryptoFactoryParams>(section)
+            .AddCryptoFactory();
+
+        /// <summary>
+        /// Registers an asym crypt service with the specified parameters from the given instance.
+        /// </summary>
+        /// <param name="services"></param>
+        /// <returns>The updated <see cref="IServiceCollection"/> with the RSA Factory registered.</returns>
+        public static IServiceCollection AddCryptoFactory(this IServiceCollection services, CryptoFactoryParams? factoryParams = null) => services
+            .AddSingleton(Options.Create(factoryParams ?? new()))
+            .AddCryptoFactory();
+
+        /// <summary>
+        /// Registers a custom RSA Factory with specified parameters from the given configuration section.
+        /// </summary>
+        /// <param name="services"></param>
+        /// <param name="section"></param>
+        /// <returns>The updated <see cref="IServiceCollection"/> with the RSA Factory registered.</returns>
+        public static IServiceCollection AddRSAFactory(this IServiceCollection services, IConfigurationSection section) => services
+            .AddParamsConfigureOptions<RSAFactoryParams>()
+            .Configure<RSAFactoryParams>(section)
+            .AddSingleton<IAsymmetricKeyFactory, RSAFactory<RSAFactoryParams>>();
+
+        private static IServiceCollection AddClaimDescriptor<TPrincipal>(this IServiceCollection services,
+            Func<TPrincipal, IDictionary<string, object>>? claimsMapper = null,
+            Func<TPrincipal, ClaimsIdentity>? subjectMapper = null)
+        {
+            var descriptor = new ClaimDescriptor<TPrincipal>
+            {
+                CreateClaims = claimsMapper,
+                CreateSubject = subjectMapper
+            };
+
+            return services.AddSingleton(sp => Options.Create(descriptor));
         }
+
+        public static IServiceCollection AddJwtSignatureHandler<TPrincipal>(this IServiceCollection services,
+            Func<TPrincipal, IDictionary<string, object>>? claimsMapper = null,
+            Func<TPrincipal, ClaimsIdentity>? subjectMapper = null)
+            => services
+                .AddClaimDescriptor(claimsMapper: claimsMapper, subjectMapper: subjectMapper)
+                .AddSingleton<IJwtSignatureHandler<TPrincipal>, JwtSignatureHandler<TPrincipal>>();
     }
 }

DigitalData.Core.Security/DigitalData.Core.Security.csproj

@@ -4,11 +4,35 @@
     <TargetFrameworks>net7.0;net8.0</TargetFrameworks>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
+    <PackageId>DigitalData.Core.Security</PackageId>
+    <Version>1.0.0</Version>
+    <Company>Digital Data GmbH</Company>
+    <Product>Digital Data GmbH</Product>
+    <Description>This package provides RSA-based security functionalities as an implementation of the DigitalData.Core.Abstractions.Security library. It supports robust encryption and decryption operations, as well as JWT signing and validation for secure authentication and data integrity.</Description>
+    <Authors>Digital Data GmbH</Authors>
+    <Copyright>Copyright 2025</Copyright>
+    <PackageProjectUrl></PackageProjectUrl>
+    <PackageIcon>core_icon.png</PackageIcon>
+    <RepositoryUrl>http://git.dd:3000/AppStd/WebCoreModules.git</RepositoryUrl>
+    <PackageTags>digital data core security</PackageTags>
+    <AssemblyVersion>1.0.0</AssemblyVersion>
+    <FileVersion>1.0.0</FileVersion>
   </PropertyGroup>
 
+  <ItemGroup>
+    <None Include="..\..\nuget-package-icons\core_icon.png">
+      <Pack>True</Pack>
+      <PackagePath>\</PackagePath>
+    </None>
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="AutoMapper" Version="13.0.1" />
+    <PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="8.0.0" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\DigitalData.Core.Abstractions\DigitalData.Core.Abstractions.csproj" />
-    <ProjectReference Include="..\DigitalData.Core.Security.Extensions\DigitalData.Core.Security.Extensions.csproj" />
   </ItemGroup>
 
 </Project>

DigitalData.Core.Security/Extension.cs

@@ -0,0 +1,89 @@
+using AutoMapper;
+using DigitalData.Core.Abstractions.Security;
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Security
+{
+    internal static class Extension
+    {
+        /// <summary>
+        /// Converts a <see cref="DateTime"/> to a formatted string based on the specified format string.
+        /// <br />
+        /// - If the format contains the symbol “//”, the method divides the numeric value obtained from the left side of the format
+        ///   by one minus the numeric value obtained from the right side of the format string and adds one. For instance:
+        /// <br />
+        /// - If the date is 02.03.2024 and the format is "MM//2", it extracts the month (02), subtracts one (3), divides it by 2,
+        ///   rounds down the outgoing number (1), adds one to the number (resulting in 2).
+        ///   <br />
+        /// - If the format does not contain "//", the method uses the default <see cref="DateTime.ToString"/> format.
+        /// <br />
+        /// </summary>
+        /// <param name="date">The <see cref="DateTime"/> value to be formatted.</param>
+        /// <param name="format">The format string that dictates the formatting of the date. If the format includes the "//" symbol, 
+        /// it splits the string at "//" and divides the left-side value by the right-side value. The format string can include standard
+        /// <see cref="DateTime.ToString"/> format patterns.</param>
+        /// <returns>A string representation of the formatted date, or the result of the division operation if "//" is present in the format.</returns>
+        /// <exception cref="ArgumentException">Thrown if the format string is invalid, such as having an incorrect number of parts after "//".</exception>
+        /// <exception cref="DivideByZeroException">Thrown if the right side of the "//" contains a zero, resulting in division by zero.</exception>
+        /// <exception cref="FormatException">Thrown if either the left-side or right-side value of "//" cannot be parsed as an integer.</exception>
+        internal static string ToTag(this DateTime date, string format)
+        {
+            if (format is not null && format.Contains("//"))
+            {
+                var subStrings = format.Split("//");
+
+                if (subStrings.Length != 2)
+                    throw new ArgumentException($"Date tag format {format} is invalid. It must contain exactly one '//' separator.", nameof(format));
+
+                var formattedLeft = date.ToString(subStrings[0]);
+
+                if (!int.TryParse(formattedLeft, out var dateValue))
+                    throw new FormatException($"The left-side value ({formattedLeft}) of the format could not be parsed to an integer.");
+
+                if (!int.TryParse(subStrings[1], out var divisor))
+                    throw new FormatException($"The right-side value ({divisor}) of the format could not be parsed to an integer.");
+
+                if (divisor == 0)
+                    throw new DivideByZeroException($"Date tag format {format} includes division by zero, which is not allowed.");
+
+                var result = (dateValue - 1) / divisor + 1;
+                return result.ToString();
+            }
+
+            return date.ToString(format);
+        }
+
+        /// <summary>
+        /// Converts a <see cref="DateTime"/> to a formatted string based on the specified format string.
+        /// <br />
+        /// - If the format contains the symbol “//”, the method divides the numeric value obtained from the left side of the format
+        ///   by one minus the numeric value obtained from the right side of the format string and adds one. For instance:
+        /// <br />
+        /// - If the date is 02.03.2024 and the format is "MM//2", it extracts the month (02), subtracts one (3), divides it by 2,
+        ///   rounds down the outgoing number (1), adds one to the number (resulting in 2).
+        ///   <br />
+        /// - If the format does not contain "//", the method uses the default <see cref="DateTime.ToString"/> format.
+        /// <br />
+        /// This method provides a way to format the date based on typical or customized rules, including mathematical operations like division.
+        /// </summary>
+        /// <param name="date">The <see cref="DateOnly"/> value to be formatted. It will convert to DateTime to use the method shared with DateTime.</param>
+        /// <param name="format">The format string that dictates the formatting of the date. If the format includes the "//" symbol, 
+        /// it splits the string at "//" and divides the left-side value by the right-side value. The format string can include standard
+        /// <see cref="DateTime.ToString"/> format patterns.</param>
+        /// <returns>A string representation of the formatted date, or the result of the division operation if "//" is present in the format.</returns>
+        /// <exception cref="ArgumentException">Thrown if the format string is invalid, such as having an incorrect number of parts after "//".</exception>
+        /// <exception cref="DivideByZeroException">Thrown if the right side of the "//" contains a zero, resulting in division by zero.</exception>
+        /// <exception cref="FormatException">Thrown if either the left-side or right-side value of "//" cannot be parsed as an integer.</exception>
+        internal static string ToTag(this DateOnly date, string format) => date.ToDateTime(new()).ToTag(format);
+
+        /// <summary>
+        /// Maps a <see cref="RSATokenDescriptor"/> to a <see cref="SecurityTokenDescriptor"/>.
+        /// </summary>
+        /// <param name="mapper">The <see cref="IMapper"/> instance used for mapping.</param>
+        /// <param name="description">The <see cref="RSATokenDescriptor"/> instance to be mapped.</param>
+        /// <returns>A <see cref="SecurityTokenDescriptor"/> instance populated with the mapped values.</returns>
+        /// <exception cref="ArgumentNullException">Thrown if <paramref name="mapper"/> or <paramref name="description"/> is <c>null</c>.</exception>
+        internal static SecurityTokenDescriptor Map(this IMapper mapper, IAsymmetricTokenDescriptor description)
+            => mapper.Map(description, new SecurityTokenDescriptor());
+    }
+}

DigitalData.Core.Security/GlobalSuppressions.cs

@@ -0,0 +1,8 @@
+// This file is used by Code Analysis to maintain SuppressMessage
+// attributes that are applied to this project.
+// Project-level suppressions either have no target or are given
+// a specific target and scoped to a namespace, type, member, etc.
+
+using System.Diagnostics.CodeAnalysis;
+
+[assembly: SuppressMessage("Style", "IDE0290:Use primary constructor", Justification = "<Pending>", Scope = "member", Target = "~M:DigitalData.Core.Security.JwtSignatureHandler`1.#ctor(Microsoft.Extensions.Options.IOptions{DigitalData.Core.Security.Config.ClaimDescriptor{`0}},AutoMapper.IMapper)")]

DigitalData.Core.Security/Instance.cs

@@ -0,0 +1,14 @@
+using DigitalData.Core.Abstractions.Security;
+using DigitalData.Core.Security.Config;
+using DigitalData.Core.Security.RSAKey;
+using Microsoft.Extensions.Options;
+
+namespace DigitalData.Core.Security
+{
+    public static class Instance
+    {
+        private static readonly Lazy<RSAFactory<RSAFactoryParams>> LazyInstance = new(() => new(Options.Create<RSAFactoryParams>(new())));
+
+        public static IAsymmetricKeyFactory RSAFactory => LazyInstance.Value;
+    }
+}

DigitalData.Core.Security/JwtSignatureHandler.cs

@@ -0,0 +1,40 @@
+using AutoMapper;
+using DigitalData.Core.Abstractions.Security;
+using DigitalData.Core.Security.Config;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
+using System.IdentityModel.Tokens.Jwt;
+
+namespace DigitalData.Core.Security
+{
+    public class JwtSignatureHandler<TPrincipal> : JwtSecurityTokenHandler, IJwtSignatureHandler<TPrincipal>
+    {
+        private readonly ClaimDescriptor<TPrincipal> _claimDescriptor;
+
+        private readonly IMapper _mapper;
+
+        private readonly ICryptoFactory _cryptoFactory;
+
+        public JwtSignatureHandler(IOptions<ClaimDescriptor<TPrincipal>> claimDescriptorOptions, IMapper mapper, ICryptoFactory cryptoFactory)
+        {
+            _claimDescriptor = claimDescriptorOptions.Value;
+            _mapper = mapper;
+            _cryptoFactory = cryptoFactory;
+        }
+
+        public SecurityToken CreateToken(TPrincipal subject, IAsymmetricTokenDescriptor descriptor)
+        {
+            var sDescriptor = _mapper.Map(descriptor);
+            sDescriptor.Claims = _claimDescriptor.CreateClaims?.Invoke(subject);
+            sDescriptor.Subject = _claimDescriptor.CreateSubject?.Invoke(subject);
+            return CreateToken(sDescriptor);
+        }
+
+        public SecurityToken CreateToken(TPrincipal subject, string issuer, string audience)
+        {
+            var descriptor = _cryptoFactory.TokenDescriptors.Get(issuer: issuer, audience: audience)
+                ?? throw new InvalidOperationException($"No or multiple token description found for issuer '{issuer}' and audience '{audience}'.");
+            return CreateToken(subject: subject, descriptor: descriptor);
+        }
+    }
+}

DigitalData.Core.Security/RSACryptographer.cs

@@ -1,16 +0,0 @@
-using DigitalData.Core.Abstractions.Security;
-using System.Security.Cryptography;
-
-namespace DigitalData.Core.Security
-{
-    public class RSACryptographer : IRSACryptographer
-    {
-        public required virtual string Pem { get; init; }
-
-        public RSAEncryptionPadding Padding { get; init; } = RSAEncryptionPadding.OaepSHA256;
-
-        protected virtual RSA RSA { get; } = RSA.Create();
-
-        internal RSACryptographer() { }
-    }
-}

DigitalData.Core.Security/RSADecryptor.cs

@@ -1,58 +0,0 @@
-using DigitalData.Core.Abstractions.Security;
-using DigitalData.Core.Security.Extensions;
-using System.Security.Cryptography;
-
-namespace DigitalData.Core.Security
-{
-    public class RSADecryptor : RSACryptographer, IRSADecryptor, IRSACryptographer
-    {
-        public (string Value, Version Version)? VersionedPassword
-        {
-            init
-            {
-                _password = value?.Value;
-                PasswordVersion = value?.Version;
-            }
-        }
-
-        private string? _password;
-
-        public Version? PasswordVersion { get; private init; } = null;
-
-        public bool HasEncryptedPem => _password is not null;
-
-        public bool IsEncrypted => _password is not null;
-
-        private readonly Lazy<IRSAEncryptor> _lazyEncryptor;
-
-        public IRSAEncryptor Encryptor => _lazyEncryptor.Value;
-
-        private readonly Lazy<RSA> lazyRSA;
-
-        protected override RSA RSA => lazyRSA.Value;
-
-        public RSADecryptor() 
-        {
-            _lazyEncryptor = new(() => new RSAEncryptor()
-            {
-                Pem = RSA.ExportRSAPublicKeyPem(),
-                Padding = Padding
-            });
-
-            lazyRSA = new(() =>
-            {
-                var rsa = RSA.Create();
-                if (_password is null)
-                    RSA.ImportFromPem(Pem);
-                else
-                    RSA.ImportFromEncryptedPem(Pem, _password.AsSpan());
-
-                return rsa;
-            });
-        }
-        
-        public byte[] Decrypt(byte[] data) => RSA.Decrypt(data, Padding);
-
-        public string Decrypt(string data) => RSA.Decrypt(data.Base64ToByte(), Padding).BytesToString();
-    }
-}

DigitalData.Core.Security/RSAEncryptor.cs

@@ -1,24 +0,0 @@
-using DigitalData.Core.Abstractions.Security;
-using DigitalData.Core.Security.Extensions;
-
-namespace DigitalData.Core.Security
-{
-    public class RSAEncryptor : RSACryptographer, IRSAEncryptor, IRSACryptographer
-    {
-        public override required string Pem
-        { 
-            get => base.Pem;            
-            init
-            {
-                RSA.ImportFromPem(base.Pem);
-                base.Pem = value;
-            }
-        }
-
-        public byte[] Encrypt(byte[] data) => RSA.Encrypt(data, Padding);
-
-        public string Encrypt(string data) => RSA.Encrypt(data.Base64ToByte(), Padding).BytesToString();
-
-        public bool Verify(string data, string signature) => Encrypt(data) == signature;
-    }
-}

DigitalData.Core.Security/RSAFactory.cs

@@ -1,132 +0,0 @@
-using DigitalData.Core.Abstractions.Security;
-using System.Security.Cryptography;
-using System.Text;
-
-namespace DigitalData.Core.Security
-{
-    public class RSAFactory
-    {
-        private static readonly Lazy<RSAFactory> LazyInstance = new(() => new());
-
-        public static RSAFactory Static => LazyInstance.Value;
-
-        public static readonly string DefaultEncryptedPrivateKeyFileTag = "enc-private";
-
-        public static readonly string DefaultPrivateKeyFileTag = "private";
-
-        public static readonly string DefaultPublicKeyFileTag = "public";
-
-        public static readonly IEnumerable<string> KeyFileTags = new string[] { DefaultEncryptedPrivateKeyFileTag, DefaultPrivateKeyFileTag, DefaultPublicKeyFileTag };
-
-        private static readonly Lazy<IEnumerable<string>> LazyLowerFileTags = new(() => KeyFileTags.Select(tag => tag.ToLower()));
-
-        public static readonly string DefaultRSAKeyNameSeparator = "-_-";
-
-        //TODO: make the validation using regex
-        public static string DefaultRSAKeyNameFormatter(string issuer, string audience, bool isPrivate = true, Version? passwordVersion = null, string? separator = null)
-        {
-            separator ??= DefaultRSAKeyNameSeparator;
-
-            void ValidateForbidden(string value, string paramName)
-            {
-                if (Path.GetInvalidFileNameChars().Any(value.Contains) || LazyLowerFileTags.Value.Any(tag => value.ToLower().Contains(tag)))
-                    throw new ArgumentException($"RSA decryptor key name creation is forbidden. The {paramName} contains forbidden characters that are not allowed in file naming.", paramName);
-            }
-
-            static void ValidateSeparator(string value, string paramName, string separator)
-            {
-                if (value.Contains(separator))
-                    throw new ArgumentException($"RSA decryptor key name creation is forbidden. The {paramName} contains separator characters ({separator}) that are not allowed in file naming.", paramName);
-            }
-
-            ValidateForbidden(issuer, nameof(issuer));
-            ValidateForbidden(audience, nameof(audience));
-            ValidateForbidden(separator, nameof(separator));
-
-            ValidateSeparator(issuer, nameof(issuer), separator);
-            ValidateSeparator(audience, nameof(audience), separator);
-
-            var sb = new StringBuilder(issuer.Length + audience.Length + separator.Length * 2 + 20);
-            sb.Append(issuer).Append(separator).Append(audience).Append(separator);
-
-            if (passwordVersion is null && isPrivate)
-                sb.Append(DefaultPrivateKeyFileTag);
-            else if (isPrivate)
-                sb.Append(DefaultEncryptedPrivateKeyFileTag).Append(separator).Append(passwordVersion);
-            else if (passwordVersion is null)
-                sb.Append(DefaultPublicKeyFileTag);
-            else
-                sb.Append(DefaultPublicKeyFileTag).Append(separator).Append(passwordVersion);
-
-            return sb.ToString();
-        }
-
-        public int KeySizeInBits { get; init; } = 2048;
-
-        public string PbePassword { private get; init; } = Secrets.PBE_PASSWORD;
-
-        public PbeEncryptionAlgorithm PbeEncryptionAlgorithm { get; init; } = PbeEncryptionAlgorithm.Aes256Cbc;
-
-        public HashAlgorithmName PbeHashAlgorithmName { get; init; } = HashAlgorithmName.SHA256;
-
-        public int PbeIterationCount { get; init; } = 100_000;
-
-        private readonly Lazy<PbeParameters> _lazyPbeParameters;
-
-        public PbeParameters PbeParameters => _lazyPbeParameters.Value;
-
-        public string EncryptedPrivateKeyPemLabel { get; init; } = "ENCRYPTED PRIVATE KEY";
-
-        internal RSAFactory()
-        {
-            _lazyPbeParameters = new(() => new PbeParameters(PbeEncryptionAlgorithm, PbeHashAlgorithmName, PbeIterationCount));
-        }
-
-        public string CreateRSAPrivateKeyPem(int? keySizeInBits = null)
-            => RSA.Create(keySizeInBits ?? KeySizeInBits).ExportRSAPrivateKeyPem();
-
-        public string CreateEncryptedPrivateKeyPem(
-            int? keySizeInBits = null,
-            string? password = null,
-            PbeEncryptionAlgorithm? pbeEncryptionAlgorithm = null,
-            HashAlgorithmName? hashAlgorithmName = null,
-            int? iterationCount = null)
-        {
-            password ??= PbePassword;
-
-            var pbeParameters = (pbeEncryptionAlgorithm is null && hashAlgorithmName is null && iterationCount is null)
-                ? new PbeParameters(
-                    pbeEncryptionAlgorithm ?? PbeEncryptionAlgorithm,
-                    hashAlgorithmName ?? PbeHashAlgorithmName,
-                    iterationCount ?? PbeIterationCount)
-                : PbeParameters;
-            
-            var encryptedPrivateKey = RSA.Create(keySizeInBits ?? KeySizeInBits).ExportEncryptedPkcs8PrivateKey(password.AsSpan(), pbeParameters);
-
-            var pemChars = PemEncoding.Write(EncryptedPrivateKeyPemLabel, encryptedPrivateKey);
-
-            return new string(pemChars);
-        }
-
-        public async Task<IRSADecryptor> ReadRSADecryptorAsync(string path, Version? version = null, CancellationToken cancellationToken = default)
-        {
-            var pem = await File.ReadAllTextAsync(path, cancellationToken);
-
-            (string Value, Version Version)? versionedPassword = null;
-
-            if(version is not null)
-            {
-                if (version != Secrets.Version)
-                    throw new InvalidOperationException($"The provided version {version} does not match the expected version {Secrets.Version}.");
-
-                versionedPassword = (Secrets.PBE_PASSWORD, Secrets.Version);
-            }
-
-            return new RSADecryptor()
-            {
-                Pem = pem,
-                VersionedPassword = versionedPassword
-            };
-        }
-    }
-}

DigitalData.Core.Security/RSAKey/RSADecryptor.cs

@@ -0,0 +1,33 @@
+using DigitalData.Core.Abstractions.Security;
+using System.Reflection;
+using System.Security.Cryptography;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSADecryptor : RSAPrivateKey, IAsymmetricDecryptor
+    {
+        public RSAEncryptionPadding Padding { get; init; } = RSAEncryptionPadding.OaepSHA256;
+
+        // TODO: add as json converter to IConfigurIConfiguration.Config
+        public string PaddingName
+        {
+            get => Padding.ToString();
+            init => Padding = typeof(RSAEncryptionPadding).GetProperty(value, BindingFlags.Public | BindingFlags.Static)?.GetValue(null) as RSAEncryptionPadding ?? throw new ArgumentException($"Padding '{value}' not found.");
+        }
+
+        public byte[] Decrypt(byte[] data) => RSA.Decrypt(data, Padding);
+
+        private readonly Lazy<IAsymmetricEncryptor> _lazyEncryptor;
+
+        public IAsymmetricEncryptor Encryptor => _lazyEncryptor.Value;
+
+        public RSADecryptor()
+        {
+            _lazyEncryptor = new(() => new RSAEncryptor()
+            {
+                Content = RSA.ExportRSAPublicKeyPem(),
+                Padding = Padding
+            });
+        }
+    }
+}

DigitalData.Core.Security/RSAKey/RSAEncryptor.cs

@@ -0,0 +1,20 @@
+using DigitalData.Core.Abstractions.Security;
+using System.Reflection;
+using System.Security.Cryptography;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSAEncryptor : RSAPublicKey, IAsymmetricEncryptor
+    {
+        public RSAEncryptionPadding Padding { get; init; } = RSAEncryptionPadding.OaepSHA256;
+
+        // TODO: add as json converter to IConfigurIConfiguration.Config
+        public string PaddingName
+        {
+            get => Padding.ToString();
+            init => Padding = typeof(RSAEncryptionPadding).GetProperty(value, BindingFlags.Public | BindingFlags.Static)?.GetValue(null) as RSAEncryptionPadding ?? throw new ArgumentException($"Padding '{value}' not found.");
+        }
+
+        public byte[] Encrypt(byte[] data) => RSA.Encrypt(data, Padding);
+    }
+}

DigitalData.Core.Security/RSAKey/RSAFactory.cs

@@ -0,0 +1,66 @@
+using DigitalData.Core.Abstractions.Security;
+using DigitalData.Core.Security.Config;
+using Microsoft.Extensions.Options;
+using System.Security.Cryptography;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSAFactory<TRSAFactoryParams> : IAsymmetricKeyFactory where TRSAFactoryParams : RSAFactoryParams
+    {
+        protected readonly TRSAFactoryParams _params;
+
+        public RSAFactory(IOptions<TRSAFactoryParams> options)
+        {
+            options.Value.Init();
+            _params = options.Value;
+        }
+
+        public string CreatePrivateKeyPem(int? keySizeInBits = null, bool encrypt = false) => encrypt
+            ? CreateEncryptedPrivateKeyPem(keySizeInBits: keySizeInBits)
+            : RSA.Create(keySizeInBits ?? _params.KeySizeInBits).ExportRSAPrivateKeyPem();
+
+        public string CreateEncryptedPrivateKeyPem(
+            PbeEncryptionAlgorithm? pbeEncryptionAlgorithm = null,
+            HashAlgorithmName? hashAlgorithmName = null,
+            int? iterationCount = null,
+            int? keySizeInBits = null,
+            string? password = null)
+        {
+            password ??= _params.PbePassword;
+
+            var pbeParameters = pbeEncryptionAlgorithm is null && hashAlgorithmName is null && iterationCount is null
+                ? new PbeParameters(
+                    pbeEncryptionAlgorithm ?? _params.PbeEncryptionAlgorithm,
+                    hashAlgorithmName ?? _params.PbeHashAlgorithm,
+                    iterationCount ?? _params.PbeIterationCount)
+                : _params.PbeParameters;
+
+            var encryptedPrivateKey = RSA.Create(keySizeInBits ?? _params.KeySizeInBits).ExportEncryptedPkcs8PrivateKey(password.AsSpan(), pbeParameters);
+
+            var pemChars = PemEncoding.Write(_params.EncryptedPrivateKeyPemLabel, encryptedPrivateKey);
+
+            return new string(pemChars);
+        }
+
+        public string CreateEncryptedPrivateKeyPem(
+            PbeParameters pbeParameters,
+            int? keySizeInBits = null,
+            string? password = null)
+        {
+            password ??= _params.PbePassword;
+
+            var encryptedPrivateKey = RSA.Create(keySizeInBits ?? _params.KeySizeInBits).ExportEncryptedPkcs8PrivateKey(password.AsSpan(), pbeParameters);
+
+            var pemChars = PemEncoding.Write(_params.EncryptedPrivateKeyPemLabel, encryptedPrivateKey);
+
+            return new string(pemChars);
+        }
+
+        public IAsymmetricDecryptor CreateDecryptor(string pem, string? issuer = null, string? audience = null, bool encrypt = false, RSAEncryptionPadding? padding = null) => new RSADecryptor()
+        {
+            Content = pem,
+            IsEncrypted = encrypt,
+            Padding = padding ?? RSAEncryptionPadding.OaepSHA256
+        };
+    }
+}

DigitalData.Core.Security/RSAKey/RSAKeyBase.cs

@@ -0,0 +1,16 @@
+using DigitalData.Core.Abstractions.Security;
+using System.Security.Cryptography;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSAKeyBase : IAsymmetricKey
+    {
+#pragma warning disable CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+        public virtual string Content { get; init; }
+#pragma warning restore CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+
+        public string? Id { get; init; }
+
+        protected virtual RSA RSA { get; } = RSA.Create();
+    }
+}

DigitalData.Core.Security/RSAKey/RSAPrivateKey.cs

@@ -0,0 +1,55 @@
+using DigitalData.Core.Abstractions.Security;
+using System.Security.Cryptography;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSAPrivateKey : RSAKeyBase, IAsymmetricPrivateKey, IAsymmetricKey
+    {
+        private string? _pem;
+
+        public override string Content
+        {
+#pragma warning disable CS8603 // Possible null reference return.
+            get => _pem;
+#pragma warning restore CS8603 // Possible null reference return.
+            init
+            {
+                _pem = value;
+                Init();
+            }
+        }
+
+        public bool IsPemNull => _pem is null;
+
+        public bool IsEncrypted { get; init; }
+
+        protected TPublicKey CreatePublicKey<TPublicKey>() where TPublicKey : RSAPublicKey, new()
+            => new() { Content = RSA.ExportRSAPublicKeyPem() };
+
+        private readonly Lazy<RSAPublicKey> _lazyPublicKey;
+
+        public IAsymmetricPublicKey PublicKey => _lazyPublicKey.Value;
+
+        public RSAPrivateKey()
+        {
+            _lazyPublicKey = new(CreatePublicKey<RSAPublicKey>);
+        }
+
+        internal void SetPem(string pem)
+        {
+            _pem = pem;
+            Init();
+        }
+
+        private void Init()
+        {
+            if (string.IsNullOrEmpty(_pem))
+                throw new InvalidOperationException ($"The content of RSA private key is null or empty. Id: {Id}.");
+
+            if (IsEncrypted)
+                RSA.ImportFromEncryptedPem(Content, Secrets.PBE_PASSWORD.AsSpan());
+            else
+                RSA.ImportFromPem(Content);
+        }
+    }
+}

DigitalData.Core.Security/RSAKey/RSAPublicKey.cs

@@ -0,0 +1,17 @@
+using DigitalData.Core.Abstractions.Security;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSAPublicKey : RSAKeyBase, IAsymmetricPublicKey, IAsymmetricKey
+    {
+        public override string Content 
+        {
+            get => base.Content;
+            init
+            {
+                base.Content = value;
+                RSA.ImportFromPem(value);
+            }
+        }
+    }
+}

DigitalData.Core.Security/RSAKey/RSATokenDescriptor.cs

@@ -0,0 +1,119 @@
+using DigitalData.Core.Abstractions.Security;
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    /// <summary>
+    /// Contains some information which used to create a security token. Designed to abstract <see cref="SecurityTokenDescriptor"/>
+    /// </summary>
+    public class RSATokenDescriptor : RSAPrivateKey, IAsymmetricTokenDescriptor
+    {
+        private readonly Lazy<RSATokenValidator> _lazyTokenValidator;
+
+        public IAsymmetricTokenValidator Validator => _lazyTokenValidator.Value;
+
+        public required TimeSpan Lifetime { get; init; }
+
+        #region SecurityTokenDescriptor Map
+        /// <summary>
+        /// Gets or sets the value of the 'audience' claim.
+        /// </summary>
+        public required string Audience { get; set; }
+
+        /// <summary>
+        /// Defines the compression algorithm that will be used to compress the JWT token payload.
+        /// </summary>
+        public string CompressionAlgorithm { get; set; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="EncryptingCredentials"/> used to create a encrypted security token.
+        /// </summary>
+        public EncryptingCredentials EncryptingCredentials { get; set; }
+
+        /// <summary>
+        /// Gets or sets the value of the 'expiration' claim. This value should be in UTC.
+        /// The expiration time is the sum of DateTime.Now and LifeTime.
+        /// </summary>
+        public DateTime? Expires => DateTime.Now.AddTicks(Lifetime.Ticks);
+
+        /// <summary>
+        /// Gets or sets the issuer of this <see cref="SecurityTokenDescriptor"/>.
+        /// </summary>
+        public required string Issuer { get; set; }
+
+        /// <summary>
+        /// Gets or sets the time the security token was issued. This value should be in UTC.
+        /// </summary>
+        public DateTime? IssuedAt { get; set; }
+
+        /// <summary>
+        /// Gets or sets the notbefore time for the security token. This value should be in UTC.
+        /// </summary>
+        public DateTime? NotBefore { get; set; }
+
+        /// <summary>
+        /// Gets or sets the token type.
+        /// <remarks> If provided, this will be added as the value for the 'typ' header parameter. In the case of a JWE, this will be added to both the inner (JWS) and the outer token (JWE) header. By default, the value used is 'JWT'.
+        /// If <see cref="AdditionalHeaderClaims"/> also contains 'typ' header claim value, it will override the TokenType provided here.
+        /// This value is used only for JWT tokens and not for SAML/SAML2 tokens</remarks>
+        /// </summary>
+        public string TokenType { get; set; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="Dictionary{TKey, TValue}"/> which contains any custom header claims that need to be added to the JWT token header.
+        /// The 'alg', 'kid', 'x5t', 'enc', and 'zip' claims are added by default based on the <see cref="SigningCredentials"/>,
+        /// <see cref="EncryptingCredentials"/>, and/or <see cref="CompressionAlgorithm"/> provided and SHOULD NOT be included in this dictionary as this
+        /// will result in an exception being thrown. 
+        /// <remarks> These claims are only added to the outer header (in case of a JWE).</remarks>
+        /// </summary>
+        public IDictionary<string, object> AdditionalHeaderClaims { get; set; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="Dictionary{TKey, TValue}"/> which contains any custom header claims that need to be added to the inner JWT token header.
+        /// The 'alg', 'kid', 'x5t', 'enc', and 'zip' claims are added by default based on the <see cref="SigningCredentials"/>,
+        /// <see cref="EncryptingCredentials"/>, and/or <see cref="CompressionAlgorithm"/> provided and SHOULD NOT be included in this dictionary as this
+        /// will result in an exception being thrown. 
+        /// <remarks>
+        /// For JsonWebTokenHandler, these claims are merged with <see cref="AdditionalHeaderClaims"/> while adding to the inner JWT header.
+        /// </remarks>
+        /// </summary>
+        public IDictionary<string, object> AdditionalInnerHeaderClaims { get; set; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="SigningCredentials"/> used to create a security token.
+        /// </summary>
+        public SigningCredentials SigningCredentials => _lazySigningCredentials.Value;
+        #endregion SecurityTokenDescriptor
+
+        private readonly Lazy<RsaSecurityKey> _lazyRsaSecurityKey;
+
+        public SecurityKey SecurityKey => _lazyRsaSecurityKey.Value;
+
+        private readonly Lazy<SigningCredentials> _lazySigningCredentials;
+
+        /// <summary>
+        /// Specifies the signature algorithm to be applied to the <see cref="SigningCredentials"/>.
+        /// Default is <see cref="SecurityAlgorithms.RsaSha256"/>.
+        /// </summary>
+        public string SigningAlgorithm { get; init; } = SecurityAlgorithms.RsaSha256;
+
+        /// <summary>
+        /// Optionally specifies the digest algorithm to be applied during the signing process for the <see cref="SigningCredentials"/>.
+        /// If not provided, the default algorithm is used.
+        /// </summary>
+        public string? SigningDigest { get; init; }
+
+#pragma warning disable CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+        public RSATokenDescriptor()
+#pragma warning restore CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+        {
+            _lazyTokenValidator = new(CreatePublicKey<RSATokenValidator>);
+
+            _lazyRsaSecurityKey = new(() => new RsaSecurityKey(RSA));
+
+            _lazySigningCredentials = new(() => SigningDigest is null
+                ? new(SecurityKey, SigningAlgorithm)
+                : new(SecurityKey, SigningAlgorithm, SigningDigest));
+        }
+    }
+}

DigitalData.Core.Security/RSAKey/RSATokenValidator.cs

@@ -0,0 +1,17 @@
+using DigitalData.Core.Abstractions.Security;
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSATokenValidator : RSAPublicKey, IAsymmetricTokenValidator
+    {
+        private readonly Lazy<RsaSecurityKey> _lazyRsaSecurityKey;
+
+        public SecurityKey SecurityKey => _lazyRsaSecurityKey.Value;
+
+        public RSATokenValidator()
+        {
+            _lazyRsaSecurityKey = new(() => new RsaSecurityKey(RSA));
+        }
+    }
+}

DigitalData.Core.sln

@@ -23,9 +23,9 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DigitalData.Core.Legacy.Cli
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "DigitalData.Core.Security", "DigitalData.Core.Security\DigitalData.Core.Security.csproj", "{47D80C65-74A2-4EB8-96A5-D571A9108FB3}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "DigitalData.Core.Security.Extensions", "DigitalData.Core.Security.Extensions\DigitalData.Core.Security.Extensions.csproj", "{D740182D-82DA-480A-9F87-BFB4A8620A00}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "DigitalData.Core.Terminal", "DigitalData.Core.Terminal\DigitalData.Core.Terminal.csproj", "{0FA93730-8084-4907-B172-87D610323796}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DigitalData.Core.Terminal", "DigitalData.Core.Terminal\DigitalData.Core.Terminal.csproj", "{0FA93730-8084-4907-B172-87D610323796}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "DigitalData.Core.Tests.API", "DigitalData.Core.Tests.API\DigitalData.Core.Tests.API.csproj", "{9BC2DEC5-E89D-48CC-9A51-4D94496EE4A6}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
@@ -68,18 +68,18 @@ Global
 		{E009A053-A9F4-48F2-984F-EF5C376A9B14}.Debug|Any CPU.Build.0 = Release|Any CPU
 		{E009A053-A9F4-48F2-984F-EF5C376A9B14}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{E009A053-A9F4-48F2-984F-EF5C376A9B14}.Release|Any CPU.Build.0 = Release|Any CPU
-		{47D80C65-74A2-4EB8-96A5-D571A9108FB3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{47D80C65-74A2-4EB8-96A5-D571A9108FB3}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{47D80C65-74A2-4EB8-96A5-D571A9108FB3}.Debug|Any CPU.ActiveCfg = Release|Any CPU
+		{47D80C65-74A2-4EB8-96A5-D571A9108FB3}.Debug|Any CPU.Build.0 = Release|Any CPU
 		{47D80C65-74A2-4EB8-96A5-D571A9108FB3}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{47D80C65-74A2-4EB8-96A5-D571A9108FB3}.Release|Any CPU.Build.0 = Release|Any CPU
-		{D740182D-82DA-480A-9F87-BFB4A8620A00}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{D740182D-82DA-480A-9F87-BFB4A8620A00}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{D740182D-82DA-480A-9F87-BFB4A8620A00}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{D740182D-82DA-480A-9F87-BFB4A8620A00}.Release|Any CPU.Build.0 = Release|Any CPU
 		{0FA93730-8084-4907-B172-87D610323796}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{0FA93730-8084-4907-B172-87D610323796}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{0FA93730-8084-4907-B172-87D610323796}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{0FA93730-8084-4907-B172-87D610323796}.Release|Any CPU.Build.0 = Release|Any CPU
+		{9BC2DEC5-E89D-48CC-9A51-4D94496EE4A6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{9BC2DEC5-E89D-48CC-9A51-4D94496EE4A6}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{9BC2DEC5-E89D-48CC-9A51-4D94496EE4A6}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{9BC2DEC5-E89D-48CC-9A51-4D94496EE4A6}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE