chore(Security): Description fixed

- Benennung der perm-Datei aktualisiert.

.gitignore

@@ -410,3 +410,4 @@ FodyWeavers.xsd
 /DigitalData.Core.ConsoleApp/FooHttpOptions.cs
 /DigitalData.Core.Tests/obj/
 /DigitalData.Core.Terminal
+/DigitalData.Core.Tests.API

DigitalData.Core.API/BasicCRUDControllerBase.cs

@@ -7,7 +7,7 @@ namespace DigitalData.Core.API
     [ApiController]
     [Route("api/[controller]")]
     public class BasicCRUDControllerBase<TCRUDService, TDto, TEntity, TId> : CRUDControllerBase<TCRUDService, TDto, TDto, TDto, TEntity, TId>
-        where TCRUDService : ICRUDService<TDto, TDto, TDto, TEntity, TId>
+        where TCRUDService : ICRUDService<TDto, TDto, TEntity, TId>
         where TDto : class, IUnique<TId>
         where TEntity : class, IUnique<TId>
     {

DigitalData.Core.API/CRUDControllerBase.cs

@@ -11,13 +11,12 @@ namespace DigitalData.Core.API
     /// <typeparam name="TCRUDService">The derived CRUD service type implementing ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId>.</typeparam>
     /// <typeparam name="TCreateDto">The Data Transfer Object type for create operations.</typeparam>
     /// <typeparam name="TReadDto">The Data Transfer Object type for read operations.</typeparam>
-    /// <typeparam name="TUpdateDto">The Data Transfer Object type for update operations.</typeparam>
     /// <typeparam name="TEntity">The entity type CRUD operations will be performed on.</typeparam>
     /// <typeparam name="TId">The type of the entity's identifier.</typeparam>
     [ApiController]
     [Route("api/[controller]")]
     public class CRUDControllerBase<TCRUDService, TCreateDto, TReadDto, TUpdateDto, TEntity, TId> : ControllerBase
-        where TCRUDService : ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId>
+        where TCRUDService : ICRUDService<TCreateDto, TReadDto, TEntity, TId>
         where TCreateDto : class
         where TReadDto : class
         where TUpdateDto : class, IUnique<TId>

DigitalData.Core.API/CRUDControllerBaseWithErrorHandling.cs

@@ -12,13 +12,12 @@ namespace DigitalData.Core.API
     /// <typeparam name="TCRUDService">The derived CRUD service type implementing ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId>.</typeparam>
     /// <typeparam name="TCreateDto">The Data Transfer Object type for create operations.</typeparam>
     /// <typeparam name="TReadDto">The Data Transfer Object type for read operations.</typeparam>
-    /// <typeparam name="TUpdateDto">The Data Transfer Object type for update operations.</typeparam>
     /// <typeparam name="TEntity">The entity type CRUD operations will be performed on.</typeparam>
     /// <typeparam name="TId">The type of the entity's identifier.</typeparam>
     [ApiController]
     [Route("api/[controller]")]
     public class CRUDControllerBaseWithErrorHandling<TCRUDService, TCreateDto, TReadDto, TUpdateDto, TEntity, TId> : ControllerBase
-        where TCRUDService : ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId>
+        where TCRUDService : ICRUDService<TCreateDto, TReadDto, TEntity, TId>
         where TCreateDto : class
         where TReadDto : class
         where TUpdateDto : class, IUnique<TId>

DigitalData.Core.API/DigitalData.Core.API.csproj

@@ -8,7 +8,7 @@
     <OutputType>Library</OutputType>
     <Description>This package provides a comprehensive set of API controllers and related utilities for the DigitalData.Core library. It includes generic CRUD controllers, localization extensions, middleware for security policies, and application model conventions.</Description>
     <PackageId>DigitalData.Core.API</PackageId>
-    <Version>2.0.1</Version>
+    <Version>2.1.1</Version>
     <Authors>Digital Data GmbH</Authors>
     <Company>Digital Data GmbH</Company>
     <Product>DigitalData.Core.API</Product>
@@ -16,8 +16,8 @@
     <RepositoryUrl>http://git.dd:3000/AppStd/WebCoreModules.git</RepositoryUrl>
     <PackageTags>digital data core api</PackageTags>
     <PackageIcon>core_icon.png</PackageIcon>
-    <AssemblyVersion>2.0.1</AssemblyVersion>
-    <FileVersion>2.0.1</FileVersion>
+    <AssemblyVersion>2.1.1</AssemblyVersion>
+    <FileVersion>2.1.1</FileVersion>
   </PropertyGroup>
 
   <ItemGroup>

DigitalData.Core.Abstractions/Application/IBasicCRUDService.cs

@@ -15,7 +15,7 @@ namespace DigitalData.Core.Abstractions.Application
     /// This interface is useful for entities that do not require different DTOs for different operations,
     /// allowing for a more concise and maintainable codebase when implementing services for such entities.
     /// </remarks>
-    public interface IBasicCRUDService<TDto, TEntity, TId> : ICRUDService<TDto, TDto, TDto, TEntity, TId>
+    public interface IBasicCRUDService<TDto, TEntity, TId> : ICRUDService<TDto, TDto, TEntity, TId>
         where TDto : class, IUnique<TId> where TEntity : class, IUnique<TId>
     {
     }

DigitalData.Core.Abstractions/Application/ICRUDService.cs

@@ -2,8 +2,8 @@
 
 namespace DigitalData.Core.Abstractions.Application
 {
-    public interface ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId> : IReadService<TReadDto, TEntity, TId>
-        where TCreateDto : class where TReadDto : class where TUpdateDto : IUnique<TId> where TEntity : class, IUnique<TId>
+    public interface ICRUDService<TCreateDto, TReadDto, TEntity, TId> : IReadService<TReadDto, TEntity, TId>
+        where TCreateDto : class where TReadDto : class where TEntity : class, IUnique<TId>
     {
         /// <summary>
         /// Asynchronously creates a new entity based on the provided <paramref name="createDto"/> and returns the identifier of the created entity wrapped in a <see cref="DataResult{TId}"/>.
@@ -20,6 +20,6 @@ namespace DigitalData.Core.Abstractions.Application
         /// </summary>
         /// <param name="updateDto">The updateDTO with updated values for the entity.</param>
         /// <returns>An Result indicating the outcome of the update operation, with an appropriate message.</returns>
-        Task<Result> UpdateAsync(TUpdateDto updateDto);
+        Task<Result> UpdateAsync<TUpdateDto>(TUpdateDto updateDto) where TUpdateDto : IUnique<TId>;
     }
 }

DigitalData.Core.Abstractions/DigitalData.Core.Abstractions.csproj

@@ -9,7 +9,7 @@
 		<Authors>Digital Data GmbH</Authors>
 		<Company>Digital Data GmbH</Company>
 		<Product>DigitalData.Core.Abstractions</Product>
-		<Description>This package contains abstractions for the DigitalData.Core.Abstractions library, developed according to the principles of Clean Architecture. It promotes separation of concerns and enables independent core logic.</Description>
+		<Description>This package contains abstractions for the DigitalData.Core library, developed according to the principles of Clean Architecture. It promotes separation of concerns and enables independent core logic.</Description>
 		<PackageTags>digital data core abstractions clean architecture</PackageTags>
 		<GeneratePackageOnBuild>True</GeneratePackageOnBuild>
 		<Copyright>Copyright 2024</Copyright>
@@ -17,9 +17,9 @@
 		<RepositoryUrl>http://git.dd:3000/AppStd/WebCoreModules.git</RepositoryUrl>
 		<PackAsTool>False</PackAsTool>
 		<PackageIcon>core_icon.png</PackageIcon>
-		<Version>2.2.1</Version>
-		<AssemblyVersion>2.2.1</AssemblyVersion>
-		<FileVersion>2.2.1</FileVersion>
+		<Version>3.1.0</Version>
+		<AssemblyVersion>3.1.0</AssemblyVersion>
+		<FileVersion>3.1.0</FileVersion>
 	</PropertyGroup>
 
 	<ItemGroup>

DigitalData.Core.Abstractions/Security/IAsymmetricDecryptor.cs

@@ -0,0 +1,9 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricDecryptor : IAsymmetricPrivateKey
+    {
+        byte[] Decrypt(byte[] data);
+
+        IAsymmetricEncryptor Encryptor { get; }
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricEncryptor.cs

@@ -0,0 +1,7 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricEncryptor : IAsymmetricPublicKey
+    {
+        byte[] Encrypt(byte[] data);
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricKey.cs

@@ -0,0 +1,9 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricKey
+    {
+        string? Id { get; }
+
+        string Content { get; }
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricKeyFactory.cs

@@ -0,0 +1,23 @@
+using System.Security.Cryptography;
+
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricKeyFactory
+    {
+        string CreatePrivateKeyPem(int? keySizeInBits = null, bool encrypt = false);
+
+        string CreateEncryptedPrivateKeyPem(
+            PbeEncryptionAlgorithm? pbeEncryptionAlgorithm = null,
+            HashAlgorithmName? hashAlgorithmName = null,
+            int? iterationCount = null,
+            int? keySizeInBits = null,
+            string? password = null);
+
+        string CreateEncryptedPrivateKeyPem(
+            PbeParameters pbeParameters,
+            int? keySizeInBits = null,
+            string? password = null);
+
+        IAsymmetricDecryptor CreateDecryptor(string pem, string? issuer = null, string? audience = null, bool encrypt = false, RSAEncryptionPadding? padding = null);
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricPrivateKey.cs

@@ -0,0 +1,9 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricPrivateKey : IAsymmetricKey
+    {
+        bool IsEncrypted { get; }
+
+        IAsymmetricPublicKey PublicKey { get; }
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricPublicKey.cs

@@ -0,0 +1,6 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricPublicKey : IAsymmetricKey
+    {
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricTokenDescriptor.cs

@@ -0,0 +1,74 @@
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Abstractions.Security
+{
+    /// <summary>
+    /// Contains some information which used to create a security token. Designed to abstract <see cref="SecurityTokenDescriptor"/>
+    /// </summary>
+    public interface IAsymmetricTokenDescriptor : IAsymmetricPrivateKey, IUniqueSecurityContext
+    {
+        IAsymmetricTokenValidator Validator { get; }
+
+        TimeSpan Lifetime { get; init; }
+
+        #region SecurityTokenDescriptor Map
+        /// <summary>
+        /// Defines the compression algorithm that will be used to compress the JWT token payload.
+        /// </summary>
+        string CompressionAlgorithm { get; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="EncryptingCredentials"/> used to create a encrypted security token.
+        /// </summary>
+        EncryptingCredentials EncryptingCredentials { get; }
+
+        /// <summary>
+        /// Gets or sets the value of the 'expiration' claim. This value should be in UTC.
+        /// </summary>
+        DateTime? Expires { get; }
+
+        /// <summary>
+        /// Gets or sets the time the security token was issued. This value should be in UTC.
+        /// </summary>
+        DateTime? IssuedAt { get; }
+
+        /// <summary>
+        /// Gets or sets the notbefore time for the security token. This value should be in UTC.
+        /// </summary>
+        DateTime? NotBefore { get; }
+
+        /// <summary>
+        /// Gets or sets the token type.
+        /// <remarks> If provided, this will be added as the value for the 'typ' header parameter. In the case of a JWE, this will be added to both the inner (JWS) and the outer token (JWE) header. By default, the value used is 'JWT'.
+        /// If <see cref="AdditionalHeaderClaims"/> also contains 'typ' header claim value, it will override the TokenType provided here.
+        /// This value is used only for JWT tokens and not for SAML/SAML2 tokens</remarks>
+        /// </summary>
+        string TokenType { get; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="Dictionary{TKey, TValue}"/> which contains any custom header claims that need to be added to the JWT token header.
+        /// The 'alg', 'kid', 'x5t', 'enc', and 'zip' claims are added by default based on the <see cref="SigningCredentials"/>,
+        /// <see cref="EncryptingCredentials"/>, and/or <see cref="CompressionAlgorithm"/> provided and SHOULD NOT be included in this dictionary as this
+        /// will result in an exception being thrown. 
+        /// <remarks> These claims are only added to the outer header (in case of a JWE).</remarks>
+        /// </summary>
+        IDictionary<string, object> AdditionalHeaderClaims { get; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="Dictionary{TKey, TValue}"/> which contains any custom header claims that need to be added to the inner JWT token header.
+        /// The 'alg', 'kid', 'x5t', 'enc', and 'zip' claims are added by default based on the <see cref="SigningCredentials"/>,
+        /// <see cref="EncryptingCredentials"/>, and/or <see cref="CompressionAlgorithm"/> provided and SHOULD NOT be included in this dictionary as this
+        /// will result in an exception being thrown. 
+        /// <remarks>
+        /// For JsonWebTokenHandler, these claims are merged with <see cref="AdditionalHeaderClaims"/> while adding to the inner JWT header.
+        /// </remarks>
+        /// </summary>
+        IDictionary<string, object> AdditionalInnerHeaderClaims { get; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="SigningCredentials"/> used to create a security token.
+        /// </summary>
+        SigningCredentials SigningCredentials { get; }
+        #endregion SecurityTokenDescriptor
+    }
+}

DigitalData.Core.Abstractions/Security/IAsymmetricTokenValidator.cs

@@ -0,0 +1,9 @@
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IAsymmetricTokenValidator : IAsymmetricPublicKey
+    {
+        SecurityKey SecurityKey { get; }
+    }
+}

DigitalData.Core.Abstractions/Security/ICryptFactory.cs

@@ -1,48 +0,0 @@
-using System.Security.Cryptography;
-
-namespace DigitalData.Core.Abstractions.Security
-{
-    public interface ICryptFactory
-    {
-        int KeySizeInBits { get; init; }
-
-        string PbePassword { init; }
-
-        PbeEncryptionAlgorithm PbeEncryptionAlgorithm { get; init; }
-
-        HashAlgorithmName PbeHashAlgorithmName { get; init; }
-
-        int PbeIterationCount { get; init; }
-
-        PbeParameters PbeParameters { get; }
-
-        string EncryptedPrivateKeyPemLabel { get; init; }
-
-        /// <summary>
-        /// Gets the formatter function for generating RSA key names.
-        /// This formatter takes an issuer, audience, isPrivate, and optional version and separator
-        /// to produce a formatted string used for the key naming convention.
-        /// </summary>
-        /// <param name="issuer">A string representing the issuer of the key. It should not contain invalid file name characters or the separator.</param>
-        /// <param name="audience">A string representing the audience for which the key is intended. It should not contain invalid file name characters or the separator.</param>
-        /// <param name="isPrivate">An bool to check if the key is private.</param>
-        /// <param name="version">An instance of the <see cref="Version?"/> interface, which is used to keep the version of Pbe password.</param>
-        /// <param name="separator">An optional string separator used to separate the issuer and audience. The default is "-_-". It should not be included in the issuer or audience strings.</param>
-        /// <returns>A formatted string combining the issuer, audience, and separator, which adheres to valid file naming rules.</returns>
-        /// <exception cref="ArgumentException">Thrown when the issuer, audience, or separator contains invalid characters or when the separator is present within the issuer or audience.</exception>
-        Func<string, string, bool, Version?, string?, string> RSAKeyNameFormatter { get; }
-
-        string CreateRSAPrivateKeyPem(int? keySizeInBits = null);
-
-        string CreateEncryptedPrivateKeyPem(
-            int? keySizeInBits = null,
-            string? password = null,
-            PbeEncryptionAlgorithm? pbeEncryptionAlgorithm = null,
-            HashAlgorithmName? hashAlgorithmName = null,
-            int? iterationCount = null);
-        
-        IRSADecryptor this[string key] { get; }
-
-        bool TryGetRSADecryptor(string key, out IRSADecryptor? decryptor);
-    }
-}

DigitalData.Core.Abstractions/Security/ICryptoFactory.cs

@@ -0,0 +1,11 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface ICryptoFactory : IAsymmetricKeyFactory
+    {
+        IEnumerable<IAsymmetricDecryptor> Decryptors { get; }
+
+        IAsymmetricDecryptor VaultDecryptor { get; }
+
+        IEnumerable<IAsymmetricTokenDescriptor> TokenDescriptors { get; }
+    }
+}

DigitalData.Core.Abstractions/Security/IJwtSignatureHandler.cs

@@ -0,0 +1,15 @@
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Abstractions.Security
+{
+    public interface IJwtSignatureHandler<TPrincipal>
+    {
+        SecurityToken CreateToken(SecurityTokenDescriptor tokenDescriptor);
+
+        SecurityToken CreateToken(TPrincipal subject, IAsymmetricTokenDescriptor descriptor);
+
+        SecurityToken CreateToken(TPrincipal subject, string issuer, string audience);
+
+        string WriteToken(SecurityToken token);
+    }
+}

DigitalData.Core.Abstractions/Security/IRSACryptographer.cs

@@ -1,11 +0,0 @@
-using System.Security.Cryptography;
-
-namespace DigitalData.Core.Abstractions.Security
-{
-    public interface IRSACryptographer
-    {
-        public string Pem { get; init; }
-
-        public RSAEncryptionPadding Padding { get; init; }
-    }
-}

DigitalData.Core.Abstractions/Security/IRSADecryptor.cs

@@ -1,17 +0,0 @@
-namespace DigitalData.Core.Abstractions.Security
-{
-    public interface IRSADecryptor : IRSACryptographer
-    {
-        (string Value, Version Version)? VersionedPassword { init; }
-
-        Version? PasswordVersion { get; }
-
-        bool HasEncryptedPem { get; }
-
-        IRSAEncryptor Encryptor { get; }
-
-        byte[] Decrypt(byte[] data);
-
-        string Decrypt(string data);
-    }
-}

DigitalData.Core.Abstractions/Security/IRSAEncryptor.cs

@@ -1,11 +0,0 @@
-namespace DigitalData.Core.Abstractions.Security
-{
-    public interface IRSAEncryptor : IRSACryptographer
-    {
-        public byte[] Encrypt(byte[] data);
-
-        public string Encrypt(string data);
-
-        public bool Verify(string data, string signature) => Encrypt(data) == signature;
-    }
-}

DigitalData.Core.Abstractions/Security/IUniqueSecurityContext.cs

@@ -0,0 +1,24 @@
+namespace DigitalData.Core.Abstractions.Security
+{
+    /// <summary>
+    /// Represents a unique security context that identifies an issuer and an audience.
+    /// </summary>
+    public interface IUniqueSecurityContext
+    {
+        /// <summary>
+        /// Gets the issuer identifier for this security context.
+        /// </summary>
+        /// <remarks>
+        /// The issuer typically represents the entity that issues a token or a cryptographic key.
+        /// </remarks>
+        string Issuer { get; }
+
+        /// <summary>
+        /// Gets the audience identifier for this security context.
+        /// </summary>
+        /// <remarks>
+        /// The audience typically represents the intended recipient or target of a token or cryptographic operation.
+        /// </remarks>
+        string Audience { get; }
+    }
+}

DigitalData.Core.Abstractions/Security/SecurityExtensions.cs

@@ -0,0 +1,62 @@
+using Microsoft.IdentityModel.Tokens;
+using System.Text;
+
+namespace DigitalData.Core.Abstractions.Security
+{
+    public static class SecurityExtensions
+    {
+        #region Unique Security Context
+        public static IEnumerable<TUniqueSecurityContext> GetByIssuer<TUniqueSecurityContext>(this IEnumerable<TUniqueSecurityContext> contextes, string issuer) where TUniqueSecurityContext: IUniqueSecurityContext
+            => contextes.Where(c => c.Issuer == issuer);
+
+        public static IEnumerable<TUniqueSecurityContext> GetByAudience<TUniqueSecurityContext>(this IEnumerable<TUniqueSecurityContext> contextes, string audience) where TUniqueSecurityContext : IUniqueSecurityContext
+            => contextes.Where(c => c.Audience == audience);
+
+        public static TUniqueSecurityContext Get<TUniqueSecurityContext>(this IEnumerable<TUniqueSecurityContext> contextes, string issuer, string audience) where TUniqueSecurityContext : IUniqueSecurityContext
+            => contextes.Where(c => c.Issuer == issuer && c.Audience == audience).SingleOrDefault()
+            ?? throw new InvalidOperationException($"Exactly one {typeof(TUniqueSecurityContext).Name} must exist with Issuer: '{issuer}' and Audience: '{audience}'.");
+
+        public static bool TryGet<TUniqueSecurityContext>(this IEnumerable<TUniqueSecurityContext> contextes, string issuer, string audience, out TUniqueSecurityContext context) where TUniqueSecurityContext : IUniqueSecurityContext
+        {
+#pragma warning disable CS8601 // Possible null reference assignment.
+            context = contextes.SingleOrDefault(c => c.Issuer == issuer && c.Audience == audience);
+#pragma warning restore CS8601 // Possible null reference assignment.
+            return context is not null;
+        }
+
+        public static TUniqueSecurityContext Match<TUniqueSecurityContext>(this IEnumerable<TUniqueSecurityContext> contextes, IUniqueSecurityContext lookupContext) where TUniqueSecurityContext : IUniqueSecurityContext
+            => contextes.Get(lookupContext.Issuer, lookupContext.Audience);
+
+        public static bool TryMatch<TUniqueSecurityContext>(this IEnumerable<TUniqueSecurityContext> contextes, IUniqueSecurityContext lookupContext, out TUniqueSecurityContext context) where TUniqueSecurityContext : IUniqueSecurityContext
+            => contextes.TryGet(lookupContext.Issuer, lookupContext.Audience, out context);
+        #endregion Unique Security Context
+
+        #region De/serilization
+        internal static byte[] Base64ToByte(this string base64String) => Convert.FromBase64String(base64String);
+
+        internal static string BytesToString(this byte[] bytes) => Encoding.UTF8.GetString(bytes);
+
+        internal static string ToBase64String(this byte[] bytes) => Convert.ToBase64String(bytes);
+
+        internal static byte[] ToBytes(this string str) => System.Text.Encoding.UTF8.GetBytes(str);
+
+        public static string Decrypt(this IAsymmetricDecryptor decryptor, string data) => decryptor
+            .Decrypt(data.Base64ToByte()).BytesToString();
+        #endregion De/serilization
+
+        #region Asymmetric Encryptor
+        public static string Encrypt(this IAsymmetricEncryptor encryptor, string data) => encryptor.Encrypt(data.ToBytes()).ToBase64String();
+        #endregion Asymmetric Encryptor
+
+        #region Jwt Signature Handler
+        public static string WriteToken<TPrincipal>(this IJwtSignatureHandler<TPrincipal> handler, SecurityTokenDescriptor descriptor)
+            => handler.WriteToken(handler.CreateToken(descriptor));
+
+        public static string WriteToken<TPrincipal>(this IJwtSignatureHandler<TPrincipal> handler, TPrincipal subject, IAsymmetricTokenDescriptor descriptor)
+            => handler.WriteToken(handler.CreateToken(subject: subject, descriptor: descriptor));
+
+        public static string WriteToken<TPrincipal>(this IJwtSignatureHandler<TPrincipal> handler, TPrincipal subject, string issuer, string audience)
+            => handler.WriteToken(handler.CreateToken(subject: subject, issuer: issuer, audience: audience));
+        #endregion Jwt Signature Handler
+    }
+}

DigitalData.Core.Application/BasicCRUDService.cs

@@ -19,7 +19,7 @@ namespace DigitalData.Core.Application
     /// and a culture-specific translation service for any necessary text translations, ensuring a versatile and internationalized approach to CRUD operations.
     /// </remarks>
     public class BasicCRUDService<TCRUDRepository, TDto, TEntity, TId> :
-        CRUDService<TCRUDRepository, TDto, TDto, TDto, TEntity, TId>, IBasicCRUDService<TDto, TEntity, TId>
+        CRUDService<TCRUDRepository, TDto, TDto, TEntity, TId>, IBasicCRUDService<TDto, TEntity, TId>
          where TCRUDRepository : ICRUDRepository<TEntity, TId> where TDto : class, IUnique<TId> where TEntity : class, IUnique<TId>
     {
         /// <summary>

DigitalData.Core.Application/CRUDService.cs

@@ -12,11 +12,10 @@ namespace DigitalData.Core.Application
     /// </summary>
     /// <typeparam name="TCreateDto">The DTO type for create operations.</typeparam>
     /// <typeparam name="TReadDto">The DTO type for read operations.</typeparam>
-    /// <typeparam name="TUpdateDto">The DTO type for update operations.</typeparam>
     /// <typeparam name="TEntity">The entity type.</typeparam>
     /// <typeparam name="TId">The type of the identifier for the entity.</typeparam>
-    public class CRUDService<TCRUDRepository, TCreateDto, TReadDto, TUpdateDto, TEntity, TId> : ReadService<TCRUDRepository, TReadDto, TEntity, TId>, ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId>
-        where TCRUDRepository : ICRUDRepository<TEntity, TId> where TCreateDto : class where TReadDto : class where TUpdateDto : IUnique<TId> where TEntity : class, IUnique<TId>
+    public class CRUDService<TCRUDRepository, TCreateDto, TReadDto, TEntity, TId> : ReadService<TCRUDRepository, TReadDto, TEntity, TId>, ICRUDService<TCreateDto, TReadDto, TEntity, TId>
+        where TCRUDRepository : ICRUDRepository<TEntity, TId> where TCreateDto : class where TReadDto : class where TEntity : class, IUnique<TId>
     {
 
         /// <summary>
@@ -45,7 +44,7 @@ namespace DigitalData.Core.Application
         /// </summary>
         /// <param name="updateDto">The DTO to update an entity from.</param>
         /// <returns>A service message indicating success or failure.</returns>
-        public virtual async Task<Result> UpdateAsync(TUpdateDto updateDto)
+        public virtual async Task<Result> UpdateAsync<TUpdateDto>(TUpdateDto updateDto) where TUpdateDto : IUnique<TId>
         {
             var currentEntitiy = await _repository.ReadByIdAsync(updateDto.Id);
 

DigitalData.Core.Application/DIExtensions.cs

@@ -40,7 +40,6 @@ namespace DigitalData.Core.Application
         /// <typeparam name="TCRUDRepository">The repository type that provides CRUD operations for entities of type TEntity.</typeparam>
         /// <typeparam name="TCreateDto">The DTO type used for create operations.</typeparam>
         /// <typeparam name="TReadDto">The DTO type used for read operations.</typeparam>
-        /// <typeparam name="TUpdateDto">The DTO type used for update operations.</typeparam>
         /// <typeparam name="TEntity">The entity type corresponding to the DTOs.</typeparam>
         /// <typeparam name="TId">The type of the entity's identifier.</typeparam>
         /// <typeparam name="TProfile">The AutoMapper profile type for configuring mappings between the DTOs and the entity.</typeparam>
@@ -48,9 +47,9 @@ namespace DigitalData.Core.Application
         /// <param name="configureService">An optional action to configure additional services for the CRUD service.</param>
         /// <returns>The original <see cref="IServiceCollection"/> instance, allowing further configuration.</returns>
         public static IServiceCollection AddCleanCRUDService<TCRUDRepository, TCreateDto, TReadDto, TUpdateDto, TEntity, TId, TProfile>(this IServiceCollection services, Action<IServiceCollection>? configureService = null)
-            where TCRUDRepository : ICRUDRepository<TEntity, TId> where TCreateDto : class where TReadDto : class where TUpdateDto : class, IUnique<TId> where TEntity : class, IUnique<TId> where TProfile : Profile
+            where TCRUDRepository : ICRUDRepository<TEntity, TId> where TCreateDto : class where TReadDto : class, IUnique<TId> where TEntity : class, IUnique<TId> where TProfile : Profile
         {
-            services.AddScoped<ICRUDService<TCreateDto, TReadDto, TUpdateDto, TEntity, TId>, CRUDService<TCRUDRepository, TCreateDto, TReadDto, TUpdateDto, TEntity, TId>>();
+            services.AddScoped<ICRUDService<TCreateDto, TReadDto, TEntity, TId>, CRUDService<TCRUDRepository, TCreateDto, TReadDto, TEntity, TId>>();
             configureService?.Invoke(services);
 
             services.AddAutoMapper(typeof(TProfile).Assembly);

DigitalData.Core.Application/DigitalData.Core.Application.csproj

@@ -14,7 +14,9 @@
     <PackageIcon>core_icon.png</PackageIcon>
     <RepositoryUrl>http://git.dd:3000/AppStd/WebCoreModules.git</RepositoryUrl>
     <PackageTags>digital data core application clean architecture</PackageTags>
-    <Version>2.0.0.0</Version>
+    <Version>3.0.1</Version>
+    <AssemblyVersion>3.0.1</AssemblyVersion>
+    <FileVersion>3.0.1</FileVersion>
   </PropertyGroup>
 
   <ItemGroup>

DigitalData.Core.Security.Extensions/DigitalData.Core.Security.Extensions.csproj

@@ -1,13 +0,0 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFrameworks>net7.0;net8.0</TargetFrameworks>
-    <ImplicitUsings>enable</ImplicitUsings>
-    <Nullable>enable</Nullable>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <ProjectReference Include="..\DigitalData.Core.Abstractions\DigitalData.Core.Abstractions.csproj" />
-  </ItemGroup>
-
-</Project>

DigitalData.Core.Security.Extensions/Extensions.cs

@@ -1,13 +0,0 @@
-namespace DigitalData.Core.Security.Extensions
-{
-    public static class Extensions
-    {
-        public static string ToBase64String(this byte[] bytes) => Convert.ToBase64String(bytes);
-
-        public static byte[] Base64ToByte(this string base64String) => Convert.FromBase64String(base64String);
-
-        public static byte[] ToBytes(this string str) => System.Text.Encoding.UTF8.GetBytes(str);
-
-        public static string BytesToString(this byte[] bytes) => System.Text.Encoding.UTF8.GetString(bytes);
-    }
-}

DigitalData.Core.Security.Extensions/RSAExtensions.cs

@@ -1,66 +0,0 @@
-using DigitalData.Core.Abstractions.Security;
-using System.Collections.Concurrent;
-using System.Security.Cryptography;
-
-namespace DigitalData.Core.Security.Extensions
-{
-    public static class RSAExtensions
-    {
-        public static RSA ToRSA(this string pem)
-        {
-            var rsa = RSA.Create();
-            rsa.ImportFromPem(pem);
-            return rsa;
-        }
-
-        public static IRSADecryptor GetRSADecryptor(this ICryptFactory factory, string issuer, string audience, Version? version = null, string? seperator = null)
-            => factory[factory.RSAKeyNameFormatter(issuer, audience, true, version, seperator)];
-
-        public static bool TryGetRSADecryptor(this ICryptFactory factory, string issuer, string audience, out IRSADecryptor? decryptor, Version? version = null, string? seperator = null)
-            => factory.TryGetRSADecryptor(factory.RSAKeyNameFormatter(issuer, audience, true, version, seperator), out decryptor);
-
-        private static string CreatePath(string filename, string? directory = null)
-        {
-            directory ??= Environment.CurrentDirectory;
-
-            if (!Directory.Exists(directory))
-            {
-                Directory.CreateDirectory(directory);
-            }
-
-            return Path.Combine(directory, $"{filename}.pem");
-        }
-
-        private static readonly ConcurrentDictionary<string, SemaphoreSlim> FileLocks = new();
-
-        public static void SavePem(this IRSACryptographer decryptor, string key, string? directory = null)
-        {
-            var filePath = CreatePath(filename: key, directory : directory);
-            var fileLock = FileLocks.GetOrAdd(filePath, _ => new (1, 1));
-            fileLock.Wait();
-            try
-            {
-                File.WriteAllText(filePath, decryptor.Pem);
-            }
-            finally
-            {
-                fileLock.Release();
-            }
-        }
-
-        public static async Task SavePemAsync(this IRSACryptographer decryptor, string key, string? directory = null)
-        {
-            var filePath = CreatePath(filename: key, directory: directory);
-            var fileLock = FileLocks.GetOrAdd(filePath, _ => new (1, 1));
-            await fileLock.WaitAsync();
-            try
-            {
-                await File.WriteAllTextAsync(filePath, decryptor.Pem);
-            }
-            finally
-            {
-                fileLock.Release();
-            }
-        }
-    }
-}

DigitalData.Core.Security/Config/ClaimDescriptor.cs

@@ -0,0 +1,11 @@
+using System.Security.Claims;
+
+namespace DigitalData.Core.Security.Config
+{
+    public class ClaimDescriptor<TPrincipal>
+    {
+        public Func<TPrincipal, IDictionary<string, object>>? CreateClaims { get; init; }
+
+        public Func<TPrincipal, ClaimsIdentity>? CreateSubject { get; init; }
+    }
+}

DigitalData.Core.Security/Config/CryptoFactoryParams.cs

@@ -0,0 +1,104 @@
+using DigitalData.Core.Security.RSAKey;
+
+namespace DigitalData.Core.Security.Config
+{
+    public class CryptoFactoryParams : RSAFactoryParams
+    {
+        public string PemDirectory { get; init; } = string.Empty;
+
+        /// <summary>
+        /// Represents the separator used to concatenate the components of a file-related token string.
+        /// </summary>
+        /// <remarks>
+        /// The resulting file-related token string is constructed as follows:
+        /// <c>string.Join(FileNameSeparator, Issuer, Audience, Secret_version)</c>.
+        /// If <c>Secret_version</c> is not null, it will be included in the concatenation.
+        /// </remarks>
+        /// <example>
+        /// For example, if <c>FileNameSeparator = "_-_"</c>, the output might look like:
+        /// <c>"Issuer_-_Audience_-_Secret_version"</c>.
+        /// </example>
+        public string FileNameSeparator { get; init; } = "_-_";
+
+        public string FileExtension { get; init; } = "pem";
+
+        /// <summary>
+        ///This is the subtext of the pem file name. For the file to be automatically renewed, the name must be assigned to change periodically. For example, by default MM/2 will be refreshed every 2 months.
+        /// <br />
+        /// - <see cref="StringExtensions.ToTag(DateTime, string)" /> is used when converting to tag.
+        /// <br />
+        /// - If the format contains the symbol “//”, the method divides the numeric value obtained from the left side of the format
+        ///   by one minus the numeric value obtained from the right side of the format string and adds one. For instance:
+        /// <br />
+        /// - If the date is 02.03.2024 and the format is "MM//2", it extracts the month (02), subtracts one (3), divides it by 2,
+        ///   rounds down the outgoing number (1), adds one to the number (resulting in 2).
+        ///   <br />
+        /// - If the format does not contain "//", the method uses the default <see cref="DateTime.ToString"/> format.
+        /// <br />
+        /// This method provides a way to format the date based on typical or customized rules, including mathematical operations like division.
+        /// </summary>
+        public string DateTagFormat { get; init; } = "MM//2";
+
+        public IEnumerable<RSADecryptor> Decryptors { get; init; } = new List<RSADecryptor>();
+
+        public IEnumerable<RSATokenDescriptor> TokenDescriptors { get; init; } = new List<RSATokenDescriptor>();
+
+        public RSADecryptor? VaultDecryptor { get; init; }
+
+        public CryptoFactoryParams()
+        {
+            // init decryptors
+            AfterCreate += () =>
+            {
+                // Create root folder if it does not exist
+                if (!Directory.Exists(PemDirectory))
+                    Directory.CreateDirectory(PemDirectory);
+
+                var privateKeys = new List<RSAPrivateKey>();
+                privateKeys.AddRange(Decryptors);
+                privateKeys.AddRange(TokenDescriptors);
+                if (VaultDecryptor is not null)
+                    privateKeys.Add(VaultDecryptor);
+
+                foreach (var privateKey in privateKeys)
+                {
+                    // set default path
+                    if (privateKey.IsPemNull)
+                    {
+                        // file name 
+                        var file_name_params = new List<object>();
+
+                        if (privateKey.Id is not null)
+                            file_name_params.Add(privateKey.Id);
+                        else if (privateKey is RSATokenDescriptor descriptor)
+                            file_name_params.Add(descriptor.Issuer);
+
+                        file_name_params.Add(KeySizeInBits);
+                        file_name_params.Add(DateTime.Now.ToTag(DateTagFormat));
+
+                        if (privateKey.IsEncrypted)
+                            file_name_params.Add(Secrets.Version);
+
+                        var file_name = $"{string.Join(FileNameSeparator, file_name_params)}.{FileExtension}";
+
+                        var path = Path.Combine(PemDirectory, file_name);
+
+                        if (File.Exists(path))
+                            privateKey.SetPem(File.ReadAllText(path));
+                        else
+                        {
+                            var pem = privateKey.IsEncrypted
+                                ? Instance.RSAFactory.CreateEncryptedPrivateKeyPem(pbeParameters: PbeParameters, keySizeInBits: KeySizeInBits, password: Secrets.PBE_PASSWORD)
+                                : Instance.RSAFactory.CreatePrivateKeyPem(keySizeInBits: KeySizeInBits);
+
+                            privateKey.SetPem(pem);
+
+                            // Save file in background
+                            Task.Run(async () => await File.WriteAllTextAsync(path: path, pem));
+                        }
+                    }
+                }
+            };
+        }
+    }
+}

DigitalData.Core.Security/Config/MappingProfile.cs

@@ -0,0 +1,14 @@
+using AutoMapper;
+using DigitalData.Core.Abstractions.Security;
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Security.Config
+{
+    public class MappingProfile : Profile
+    {
+        public MappingProfile()
+        {
+            CreateMap<IAsymmetricTokenDescriptor, SecurityTokenDescriptor>();
+        }
+    }
+}

DigitalData.Core.Security/Config/ParamsConfigureOptions.cs

@@ -0,0 +1,9 @@
+using Microsoft.Extensions.Options;
+
+namespace DigitalData.Core.Security.Config
+{
+    public class ParamsConfigureOptions<TParams> : IConfigureOptions<TParams> where TParams : RSAFactoryParams
+    {
+        public void Configure(TParams options) => options.Init();
+    }
+}

DigitalData.Core.Security/Config/RSAFactoryParams.cs

@@ -0,0 +1,59 @@
+using System.Reflection;
+using System.Security.Cryptography;
+using System.Text.Json.Serialization;
+
+namespace DigitalData.Core.Security.Config
+{
+    public class RSAFactoryParams : IJsonOnDeserialized
+    {
+        public int KeySizeInBits { get; init; } = 2048;
+
+        public string PbePassword { internal get; init; } = Secrets.PBE_PASSWORD;
+
+        public PbeEncryptionAlgorithm PbeEncryptionAlgorithm { get; init; } = PbeEncryptionAlgorithm.Aes256Cbc;
+
+        public HashAlgorithmName PbeHashAlgorithm { get; init; } = HashAlgorithmName.SHA256;
+
+        // TODO: add as json converter to IConfigurIConfiguration.Config
+        public string PbeHashAlgorithmName
+        {
+            get => PbeHashAlgorithm.ToString();
+            init => PbeHashAlgorithm = (typeof(HashAlgorithmName).GetProperty(value, BindingFlags.Public | BindingFlags.Static)?.GetValue(null) is HashAlgorithmName hashAlgorithmName)
+                ? hashAlgorithmName
+                : new(value);            
+        }
+
+        public int PbeIterationCount { get; init; } = 100_000;
+
+        public string EncryptedPrivateKeyPemLabel { get; init; } = "ENCRYPTED PRIVATE KEY";
+
+        private PbeParameters? _pbeParameters;
+
+        [JsonIgnore]
+        public PbeParameters PbeParameters => _pbeParameters!;
+
+        /// <summary>
+        /// Provides a thread-safe initialization mechanism using Lazy initialization.
+        /// </summary>
+        private readonly Lazy<bool> _lazyInitializer;
+
+        public bool IsInitialized => _lazyInitializer.IsValueCreated;
+
+        public RSAFactoryParams()
+        {
+            _lazyInitializer = new(() =>
+            {
+                AfterCreate?.Invoke();
+                return true;
+            });
+
+            AfterCreate += () => _pbeParameters = new PbeParameters(PbeEncryptionAlgorithm, PbeHashAlgorithm, PbeIterationCount);
+        }
+
+        protected event Action AfterCreate;
+
+        public void Init() => _ = _lazyInitializer.Value;
+        
+        public void OnDeserialized() => Init();
+    }
+}

DigitalData.Core.Security/CryptFactory.cs

@@ -1,25 +0,0 @@
-using DigitalData.Core.Abstractions.Security;
-using Microsoft.Extensions.Logging;
-
-namespace DigitalData.Core.Security
-{
-    public class CryptFactory : RSAFactory, ICryptFactory
-    {
-        private readonly IDictionary<string, IRSADecryptor> _decryptors;
-
-        public IRSADecryptor this[string key] { get => _decryptors[key]; set => _decryptors[key] = value; }
-
-        public Func<string, string, bool, Version?, string?, string> RSAKeyNameFormatter { get; }
-
-        public CryptFactory(ILogger<CryptFactory> logger, IDictionary<string, IRSADecryptor> decryptors, Func<string, string, bool, Version?, string?, string> rsaKeyNameFormatter) : base()
-        {
-            _decryptors = decryptors ?? new Dictionary<string, IRSADecryptor>();
-
-            RSAKeyNameFormatter = rsaKeyNameFormatter;
-
-            logger?.LogInformation("Core.Secrets version: {Version}, Created on: {CreationDate}.", Secrets.Version, Secrets.CreationDate.ToString("dd.MM.yyyy"));
-        }
-
-        public bool TryGetRSADecryptor(string key, out IRSADecryptor? decryptor) => _decryptors.TryGetValue(key, out decryptor);
-    }
-}

DigitalData.Core.Security/CryptoFactory.cs

@@ -0,0 +1,38 @@
+using DigitalData.Core.Abstractions.Security;
+using DigitalData.Core.Security.Config;
+using DigitalData.Core.Security.RSAKey;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+ 
+namespace DigitalData.Core.Security
+{
+    public class CryptoFactory : RSAFactory<CryptoFactoryParams>, ICryptoFactory, IAsymmetricKeyFactory
+    {
+        public IEnumerable<IAsymmetricDecryptor> Decryptors { get; }
+        
+        /// <summary>
+        /// It is a separate decryptor for permanently stored encrypted data. It is assigned to the first Default decryptor by default.
+        /// </summary>
+        public IAsymmetricDecryptor VaultDecryptor { get; }
+
+        public IEnumerable<IAsymmetricTokenDescriptor> TokenDescriptors { get; init; } = new List<IAsymmetricTokenDescriptor>();
+
+        public CryptoFactory(IOptions<CryptoFactoryParams> options, ILogger<CryptoFactory>? logger = null) : base(options)
+        {
+            logger?.LogInformation("Core.Secrets version: {Version}, Created on: {CreationDate}.", Secrets.Version, Secrets.CreationDate.ToString("dd.MM.yyyy"));
+
+            if (!_params.Decryptors.Any())
+                throw new InvalidOperationException(
+                    "Any decryptor is not found. Ensure that at least one decryptor is configured in the provided parameters. " +
+                    "This issue typically arises if the configuration for decryptors is incomplete or missing. " +
+                    "Check the 'Decryptors' collection in the configuration and verify that it contains valid entries."
+                );
+
+            Decryptors = _params.Decryptors;
+
+            TokenDescriptors = _params.TokenDescriptors;
+
+            VaultDecryptor = _params.VaultDecryptor ?? Decryptors.First();
+        }
+    }
+}

DigitalData.Core.Security/DIExtensions.cs

@@ -1,16 +1,71 @@
 using DigitalData.Core.Abstractions.Security;
+using DigitalData.Core.Security.Config;
+using DigitalData.Core.Security.RSAKey;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Options;
+using System.Security.Claims;
 
 namespace DigitalData.Core.Security
 {
     public static class DIExtensions
     {
-        public static IServiceCollection AddSecurity(this IServiceCollection services)
-        {
-            services.TryAddScoped<ICryptFactory, CryptFactory>();
+        private static IServiceCollection AddParamsConfigureOptions<TParams>(this IServiceCollection services) where TParams : RSAFactoryParams
+            => services.AddSingleton<IConfigureOptions<TParams>, ParamsConfigureOptions<TParams>>();
 
-            return services;
+        private static IServiceCollection AddCryptoFactory(this IServiceCollection services) => services
+            .AddParamsConfigureOptions<CryptoFactoryParams>()
+            .AddAutoMapper(typeof(MappingProfile).Assembly)
+            .AddSingleton<ICryptoFactory, CryptoFactory>();
+
+        /// <summary>
+        /// Registers a custom asym crypt service with specified parameters from the given configuration section.
+        /// </summary>
+        /// <param name="services"></param>
+        /// <param name="section"></param>
+        /// <returns>The updated <see cref="IServiceCollection"/> with the RSA Factory registered.</returns>
+        public static IServiceCollection AddCryptoFactory(this IServiceCollection services, IConfigurationSection section) => services
+            .Configure<CryptoFactoryParams>(section)
+            .AddCryptoFactory();
+
+        /// <summary>
+        /// Registers an asym crypt service with the specified parameters from the given instance.
+        /// </summary>
+        /// <param name="services"></param>
+        /// <returns>The updated <see cref="IServiceCollection"/> with the RSA Factory registered.</returns>
+        public static IServiceCollection AddCryptoFactory(this IServiceCollection services, CryptoFactoryParams? factoryParams = null) => services
+            .AddSingleton(Options.Create(factoryParams ?? new()))
+            .AddCryptoFactory();
+
+        /// <summary>
+        /// Registers a custom RSA Factory with specified parameters from the given configuration section.
+        /// </summary>
+        /// <param name="services"></param>
+        /// <param name="section"></param>
+        /// <returns>The updated <see cref="IServiceCollection"/> with the RSA Factory registered.</returns>
+        public static IServiceCollection AddRSAFactory(this IServiceCollection services, IConfigurationSection section) => services
+            .AddParamsConfigureOptions<RSAFactoryParams>()
+            .Configure<RSAFactoryParams>(section)
+            .AddSingleton<IAsymmetricKeyFactory, RSAFactory<RSAFactoryParams>>();
+
+        private static IServiceCollection AddClaimDescriptor<TPrincipal>(this IServiceCollection services,
+            Func<TPrincipal, IDictionary<string, object>>? claimsMapper = null,
+            Func<TPrincipal, ClaimsIdentity>? subjectMapper = null)
+        {
+            var descriptor = new ClaimDescriptor<TPrincipal>
+            {
+                CreateClaims = claimsMapper,
+                CreateSubject = subjectMapper
+            };
+
+            return services.AddSingleton(sp => Options.Create(descriptor));
         }
+
+        public static IServiceCollection AddJwtSignatureHandler<TPrincipal>(this IServiceCollection services,
+            Func<TPrincipal, IDictionary<string, object>>? claimsMapper = null,
+            Func<TPrincipal, ClaimsIdentity>? subjectMapper = null)
+            => services
+                .AddClaimDescriptor(claimsMapper: claimsMapper, subjectMapper: subjectMapper)
+                .AddSingleton<IJwtSignatureHandler<TPrincipal>, JwtSignatureHandler<TPrincipal>>();
     }
 }

DigitalData.Core.Security/DigitalData.Core.Security.csproj

@@ -4,11 +4,35 @@
     <TargetFrameworks>net7.0;net8.0</TargetFrameworks>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
+    <PackageId>DigitalData.Core.Security</PackageId>
+    <Version>1.0.0</Version>
+    <Company>Digital Data GmbH</Company>
+    <Product>Digital Data GmbH</Product>
+    <Description>This package provides RSA-based security functionalities as an implementation of the DigitalData.Core.Abstractions.Security library. It supports robust encryption and decryption operations, as well as JWT signing and validation for secure authentication and data integrity.</Description>
+    <Authors>Digital Data GmbH</Authors>
+    <Copyright>Copyright 2025</Copyright>
+    <PackageProjectUrl></PackageProjectUrl>
+    <PackageIcon>core_icon.png</PackageIcon>
+    <RepositoryUrl>http://git.dd:3000/AppStd/WebCoreModules.git</RepositoryUrl>
+    <PackageTags>digital data core security</PackageTags>
+    <AssemblyVersion>1.0.0</AssemblyVersion>
+    <FileVersion>1.0.0</FileVersion>
   </PropertyGroup>
 
+  <ItemGroup>
+    <None Include="..\..\nuget-package-icons\core_icon.png">
+      <Pack>True</Pack>
+      <PackagePath>\</PackagePath>
+    </None>
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="AutoMapper" Version="13.0.1" />
+    <PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="8.0.0" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\DigitalData.Core.Abstractions\DigitalData.Core.Abstractions.csproj" />
-    <ProjectReference Include="..\DigitalData.Core.Security.Extensions\DigitalData.Core.Security.Extensions.csproj" />
   </ItemGroup>
 
 </Project>

DigitalData.Core.Security/Extension.cs

@@ -0,0 +1,89 @@
+using AutoMapper;
+using DigitalData.Core.Abstractions.Security;
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Security
+{
+    internal static class Extension
+    {
+        /// <summary>
+        /// Converts a <see cref="DateTime"/> to a formatted string based on the specified format string.
+        /// <br />
+        /// - If the format contains the symbol “//”, the method divides the numeric value obtained from the left side of the format
+        ///   by one minus the numeric value obtained from the right side of the format string and adds one. For instance:
+        /// <br />
+        /// - If the date is 02.03.2024 and the format is "MM//2", it extracts the month (02), subtracts one (3), divides it by 2,
+        ///   rounds down the outgoing number (1), adds one to the number (resulting in 2).
+        ///   <br />
+        /// - If the format does not contain "//", the method uses the default <see cref="DateTime.ToString"/> format.
+        /// <br />
+        /// </summary>
+        /// <param name="date">The <see cref="DateTime"/> value to be formatted.</param>
+        /// <param name="format">The format string that dictates the formatting of the date. If the format includes the "//" symbol, 
+        /// it splits the string at "//" and divides the left-side value by the right-side value. The format string can include standard
+        /// <see cref="DateTime.ToString"/> format patterns.</param>
+        /// <returns>A string representation of the formatted date, or the result of the division operation if "//" is present in the format.</returns>
+        /// <exception cref="ArgumentException">Thrown if the format string is invalid, such as having an incorrect number of parts after "//".</exception>
+        /// <exception cref="DivideByZeroException">Thrown if the right side of the "//" contains a zero, resulting in division by zero.</exception>
+        /// <exception cref="FormatException">Thrown if either the left-side or right-side value of "//" cannot be parsed as an integer.</exception>
+        internal static string ToTag(this DateTime date, string format)
+        {
+            if (format is not null && format.Contains("//"))
+            {
+                var subStrings = format.Split("//");
+
+                if (subStrings.Length != 2)
+                    throw new ArgumentException($"Date tag format {format} is invalid. It must contain exactly one '//' separator.", nameof(format));
+
+                var formattedLeft = date.ToString(subStrings[0]);
+
+                if (!int.TryParse(formattedLeft, out var dateValue))
+                    throw new FormatException($"The left-side value ({formattedLeft}) of the format could not be parsed to an integer.");
+
+                if (!int.TryParse(subStrings[1], out var divisor))
+                    throw new FormatException($"The right-side value ({divisor}) of the format could not be parsed to an integer.");
+
+                if (divisor == 0)
+                    throw new DivideByZeroException($"Date tag format {format} includes division by zero, which is not allowed.");
+
+                var result = (dateValue - 1) / divisor + 1;
+                return result.ToString();
+            }
+
+            return date.ToString(format);
+        }
+
+        /// <summary>
+        /// Converts a <see cref="DateTime"/> to a formatted string based on the specified format string.
+        /// <br />
+        /// - If the format contains the symbol “//”, the method divides the numeric value obtained from the left side of the format
+        ///   by one minus the numeric value obtained from the right side of the format string and adds one. For instance:
+        /// <br />
+        /// - If the date is 02.03.2024 and the format is "MM//2", it extracts the month (02), subtracts one (3), divides it by 2,
+        ///   rounds down the outgoing number (1), adds one to the number (resulting in 2).
+        ///   <br />
+        /// - If the format does not contain "//", the method uses the default <see cref="DateTime.ToString"/> format.
+        /// <br />
+        /// This method provides a way to format the date based on typical or customized rules, including mathematical operations like division.
+        /// </summary>
+        /// <param name="date">The <see cref="DateOnly"/> value to be formatted. It will convert to DateTime to use the method shared with DateTime.</param>
+        /// <param name="format">The format string that dictates the formatting of the date. If the format includes the "//" symbol, 
+        /// it splits the string at "//" and divides the left-side value by the right-side value. The format string can include standard
+        /// <see cref="DateTime.ToString"/> format patterns.</param>
+        /// <returns>A string representation of the formatted date, or the result of the division operation if "//" is present in the format.</returns>
+        /// <exception cref="ArgumentException">Thrown if the format string is invalid, such as having an incorrect number of parts after "//".</exception>
+        /// <exception cref="DivideByZeroException">Thrown if the right side of the "//" contains a zero, resulting in division by zero.</exception>
+        /// <exception cref="FormatException">Thrown if either the left-side or right-side value of "//" cannot be parsed as an integer.</exception>
+        internal static string ToTag(this DateOnly date, string format) => date.ToDateTime(new()).ToTag(format);
+
+        /// <summary>
+        /// Maps a <see cref="RSATokenDescriptor"/> to a <see cref="SecurityTokenDescriptor"/>.
+        /// </summary>
+        /// <param name="mapper">The <see cref="IMapper"/> instance used for mapping.</param>
+        /// <param name="description">The <see cref="RSATokenDescriptor"/> instance to be mapped.</param>
+        /// <returns>A <see cref="SecurityTokenDescriptor"/> instance populated with the mapped values.</returns>
+        /// <exception cref="ArgumentNullException">Thrown if <paramref name="mapper"/> or <paramref name="description"/> is <c>null</c>.</exception>
+        internal static SecurityTokenDescriptor Map(this IMapper mapper, IAsymmetricTokenDescriptor description)
+            => mapper.Map(description, new SecurityTokenDescriptor());
+    }
+}

DigitalData.Core.Security/GlobalSuppressions.cs

@@ -0,0 +1,8 @@
+// This file is used by Code Analysis to maintain SuppressMessage
+// attributes that are applied to this project.
+// Project-level suppressions either have no target or are given
+// a specific target and scoped to a namespace, type, member, etc.
+
+using System.Diagnostics.CodeAnalysis;
+
+[assembly: SuppressMessage("Style", "IDE0290:Use primary constructor", Justification = "<Pending>", Scope = "member", Target = "~M:DigitalData.Core.Security.JwtSignatureHandler`1.#ctor(Microsoft.Extensions.Options.IOptions{DigitalData.Core.Security.Config.ClaimDescriptor{`0}},AutoMapper.IMapper)")]

DigitalData.Core.Security/Instance.cs

@@ -0,0 +1,14 @@
+using DigitalData.Core.Abstractions.Security;
+using DigitalData.Core.Security.Config;
+using DigitalData.Core.Security.RSAKey;
+using Microsoft.Extensions.Options;
+
+namespace DigitalData.Core.Security
+{
+    public static class Instance
+    {
+        private static readonly Lazy<RSAFactory<RSAFactoryParams>> LazyInstance = new(() => new(Options.Create<RSAFactoryParams>(new())));
+
+        public static IAsymmetricKeyFactory RSAFactory => LazyInstance.Value;
+    }
+}

DigitalData.Core.Security/JwtSignatureHandler.cs

@@ -0,0 +1,40 @@
+using AutoMapper;
+using DigitalData.Core.Abstractions.Security;
+using DigitalData.Core.Security.Config;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
+using System.IdentityModel.Tokens.Jwt;
+
+namespace DigitalData.Core.Security
+{
+    public class JwtSignatureHandler<TPrincipal> : JwtSecurityTokenHandler, IJwtSignatureHandler<TPrincipal>
+    {
+        private readonly ClaimDescriptor<TPrincipal> _claimDescriptor;
+
+        private readonly IMapper _mapper;
+
+        private readonly ICryptoFactory _cryptoFactory;
+
+        public JwtSignatureHandler(IOptions<ClaimDescriptor<TPrincipal>> claimDescriptorOptions, IMapper mapper, ICryptoFactory cryptoFactory)
+        {
+            _claimDescriptor = claimDescriptorOptions.Value;
+            _mapper = mapper;
+            _cryptoFactory = cryptoFactory;
+        }
+
+        public SecurityToken CreateToken(TPrincipal subject, IAsymmetricTokenDescriptor descriptor)
+        {
+            var sDescriptor = _mapper.Map(descriptor);
+            sDescriptor.Claims = _claimDescriptor.CreateClaims?.Invoke(subject);
+            sDescriptor.Subject = _claimDescriptor.CreateSubject?.Invoke(subject);
+            return CreateToken(sDescriptor);
+        }
+
+        public SecurityToken CreateToken(TPrincipal subject, string issuer, string audience)
+        {
+            var descriptor = _cryptoFactory.TokenDescriptors.Get(issuer: issuer, audience: audience)
+                ?? throw new InvalidOperationException($"No or multiple token description found for issuer '{issuer}' and audience '{audience}'.");
+            return CreateToken(subject: subject, descriptor: descriptor);
+        }
+    }
+}

DigitalData.Core.Security/RSACryptographer.cs

@@ -1,16 +0,0 @@
-using DigitalData.Core.Abstractions.Security;
-using System.Security.Cryptography;
-
-namespace DigitalData.Core.Security
-{
-    public class RSACryptographer : IRSACryptographer
-    {
-        public required virtual string Pem { get; init; }
-
-        public RSAEncryptionPadding Padding { get; init; } = RSAEncryptionPadding.OaepSHA256;
-
-        protected virtual RSA RSA { get; } = RSA.Create();
-
-        internal RSACryptographer() { }
-    }
-}

DigitalData.Core.Security/RSADecryptor.cs

@@ -1,58 +0,0 @@
-using DigitalData.Core.Abstractions.Security;
-using DigitalData.Core.Security.Extensions;
-using System.Security.Cryptography;
-
-namespace DigitalData.Core.Security
-{
-    public class RSADecryptor : RSACryptographer, IRSADecryptor, IRSACryptographer
-    {
-        public (string Value, Version Version)? VersionedPassword
-        {
-            init
-            {
-                _password = value?.Value;
-                PasswordVersion = value?.Version;
-            }
-        }
-
-        private string? _password;
-
-        public Version? PasswordVersion { get; private init; } = null;
-
-        public bool HasEncryptedPem => _password is not null;
-
-        public bool IsEncrypted => _password is not null;
-
-        private readonly Lazy<IRSAEncryptor> _lazyEncryptor;
-
-        public IRSAEncryptor Encryptor => _lazyEncryptor.Value;
-
-        private readonly Lazy<RSA> lazyRSA;
-
-        protected override RSA RSA => lazyRSA.Value;
-
-        public RSADecryptor() 
-        {
-            _lazyEncryptor = new(() => new RSAEncryptor()
-            {
-                Pem = RSA.ExportRSAPublicKeyPem(),
-                Padding = Padding
-            });
-
-            lazyRSA = new(() =>
-            {
-                var rsa = RSA.Create();
-                if (_password is null)
-                    RSA.ImportFromPem(Pem);
-                else
-                    RSA.ImportFromEncryptedPem(Pem, _password.AsSpan());
-
-                return rsa;
-            });
-        }
-        
-        public byte[] Decrypt(byte[] data) => RSA.Decrypt(data, Padding);
-
-        public string Decrypt(string data) => RSA.Decrypt(data.Base64ToByte(), Padding).BytesToString();
-    }
-}

DigitalData.Core.Security/RSAEncryptor.cs

@@ -1,24 +0,0 @@
-using DigitalData.Core.Abstractions.Security;
-using DigitalData.Core.Security.Extensions;
-
-namespace DigitalData.Core.Security
-{
-    public class RSAEncryptor : RSACryptographer, IRSAEncryptor, IRSACryptographer
-    {
-        public override required string Pem
-        { 
-            get => base.Pem;            
-            init
-            {
-                RSA.ImportFromPem(base.Pem);
-                base.Pem = value;
-            }
-        }
-
-        public byte[] Encrypt(byte[] data) => RSA.Encrypt(data, Padding);
-
-        public string Encrypt(string data) => RSA.Encrypt(data.Base64ToByte(), Padding).BytesToString();
-
-        public bool Verify(string data, string signature) => Encrypt(data) == signature;
-    }
-}

DigitalData.Core.Security/RSAFactory.cs

@@ -1,132 +0,0 @@
-using DigitalData.Core.Abstractions.Security;
-using System.Security.Cryptography;
-using System.Text;
-
-namespace DigitalData.Core.Security
-{
-    public class RSAFactory
-    {
-        private static readonly Lazy<RSAFactory> LazyInstance = new(() => new());
-
-        public static RSAFactory Static => LazyInstance.Value;
-
-        public static readonly string DefaultEncryptedPrivateKeyFileTag = "enc-private";
-
-        public static readonly string DefaultPrivateKeyFileTag = "private";
-
-        public static readonly string DefaultPublicKeyFileTag = "public";
-
-        public static readonly IEnumerable<string> KeyFileTags = new string[] { DefaultEncryptedPrivateKeyFileTag, DefaultPrivateKeyFileTag, DefaultPublicKeyFileTag };
-
-        private static readonly Lazy<IEnumerable<string>> LazyLowerFileTags = new(() => KeyFileTags.Select(tag => tag.ToLower()));
-
-        public static readonly string DefaultRSAKeyNameSeparator = "-_-";
-
-        //TODO: make the validation using regex
-        public static string DefaultRSAKeyNameFormatter(string issuer, string audience, bool isPrivate = true, Version? passwordVersion = null, string? separator = null)
-        {
-            separator ??= DefaultRSAKeyNameSeparator;
-
-            void ValidateForbidden(string value, string paramName)
-            {
-                if (Path.GetInvalidFileNameChars().Any(value.Contains) || LazyLowerFileTags.Value.Any(tag => value.ToLower().Contains(tag)))
-                    throw new ArgumentException($"RSA decryptor key name creation is forbidden. The {paramName} contains forbidden characters that are not allowed in file naming.", paramName);
-            }
-
-            static void ValidateSeparator(string value, string paramName, string separator)
-            {
-                if (value.Contains(separator))
-                    throw new ArgumentException($"RSA decryptor key name creation is forbidden. The {paramName} contains separator characters ({separator}) that are not allowed in file naming.", paramName);
-            }
-
-            ValidateForbidden(issuer, nameof(issuer));
-            ValidateForbidden(audience, nameof(audience));
-            ValidateForbidden(separator, nameof(separator));
-
-            ValidateSeparator(issuer, nameof(issuer), separator);
-            ValidateSeparator(audience, nameof(audience), separator);
-
-            var sb = new StringBuilder(issuer.Length + audience.Length + separator.Length * 2 + 20);
-            sb.Append(issuer).Append(separator).Append(audience).Append(separator);
-
-            if (passwordVersion is null && isPrivate)
-                sb.Append(DefaultPrivateKeyFileTag);
-            else if (isPrivate)
-                sb.Append(DefaultEncryptedPrivateKeyFileTag).Append(separator).Append(passwordVersion);
-            else if (passwordVersion is null)
-                sb.Append(DefaultPublicKeyFileTag);
-            else
-                sb.Append(DefaultPublicKeyFileTag).Append(separator).Append(passwordVersion);
-
-            return sb.ToString();
-        }
-
-        public int KeySizeInBits { get; init; } = 2048;
-
-        public string PbePassword { private get; init; } = Secrets.PBE_PASSWORD;
-
-        public PbeEncryptionAlgorithm PbeEncryptionAlgorithm { get; init; } = PbeEncryptionAlgorithm.Aes256Cbc;
-
-        public HashAlgorithmName PbeHashAlgorithmName { get; init; } = HashAlgorithmName.SHA256;
-
-        public int PbeIterationCount { get; init; } = 100_000;
-
-        private readonly Lazy<PbeParameters> _lazyPbeParameters;
-
-        public PbeParameters PbeParameters => _lazyPbeParameters.Value;
-
-        public string EncryptedPrivateKeyPemLabel { get; init; } = "ENCRYPTED PRIVATE KEY";
-
-        internal RSAFactory()
-        {
-            _lazyPbeParameters = new(() => new PbeParameters(PbeEncryptionAlgorithm, PbeHashAlgorithmName, PbeIterationCount));
-        }
-
-        public string CreateRSAPrivateKeyPem(int? keySizeInBits = null)
-            => RSA.Create(keySizeInBits ?? KeySizeInBits).ExportRSAPrivateKeyPem();
-
-        public string CreateEncryptedPrivateKeyPem(
-            int? keySizeInBits = null,
-            string? password = null,
-            PbeEncryptionAlgorithm? pbeEncryptionAlgorithm = null,
-            HashAlgorithmName? hashAlgorithmName = null,
-            int? iterationCount = null)
-        {
-            password ??= PbePassword;
-
-            var pbeParameters = (pbeEncryptionAlgorithm is null && hashAlgorithmName is null && iterationCount is null)
-                ? new PbeParameters(
-                    pbeEncryptionAlgorithm ?? PbeEncryptionAlgorithm,
-                    hashAlgorithmName ?? PbeHashAlgorithmName,
-                    iterationCount ?? PbeIterationCount)
-                : PbeParameters;
-            
-            var encryptedPrivateKey = RSA.Create(keySizeInBits ?? KeySizeInBits).ExportEncryptedPkcs8PrivateKey(password.AsSpan(), pbeParameters);
-
-            var pemChars = PemEncoding.Write(EncryptedPrivateKeyPemLabel, encryptedPrivateKey);
-
-            return new string(pemChars);
-        }
-
-        public async Task<IRSADecryptor> ReadRSADecryptorAsync(string path, Version? version = null, CancellationToken cancellationToken = default)
-        {
-            var pem = await File.ReadAllTextAsync(path, cancellationToken);
-
-            (string Value, Version Version)? versionedPassword = null;
-
-            if(version is not null)
-            {
-                if (version != Secrets.Version)
-                    throw new InvalidOperationException($"The provided version {version} does not match the expected version {Secrets.Version}.");
-
-                versionedPassword = (Secrets.PBE_PASSWORD, Secrets.Version);
-            }
-
-            return new RSADecryptor()
-            {
-                Pem = pem,
-                VersionedPassword = versionedPassword
-            };
-        }
-    }
-}

DigitalData.Core.Security/RSAKey/RSADecryptor.cs

@@ -0,0 +1,33 @@
+using DigitalData.Core.Abstractions.Security;
+using System.Reflection;
+using System.Security.Cryptography;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSADecryptor : RSAPrivateKey, IAsymmetricDecryptor
+    {
+        public RSAEncryptionPadding Padding { get; init; } = RSAEncryptionPadding.OaepSHA256;
+
+        // TODO: add as json converter to IConfigurIConfiguration.Config
+        public string PaddingName
+        {
+            get => Padding.ToString();
+            init => Padding = typeof(RSAEncryptionPadding).GetProperty(value, BindingFlags.Public | BindingFlags.Static)?.GetValue(null) as RSAEncryptionPadding ?? throw new ArgumentException($"Padding '{value}' not found.");
+        }
+
+        public byte[] Decrypt(byte[] data) => RSA.Decrypt(data, Padding);
+
+        private readonly Lazy<IAsymmetricEncryptor> _lazyEncryptor;
+
+        public IAsymmetricEncryptor Encryptor => _lazyEncryptor.Value;
+
+        public RSADecryptor()
+        {
+            _lazyEncryptor = new(() => new RSAEncryptor()
+            {
+                Content = RSA.ExportRSAPublicKeyPem(),
+                Padding = Padding
+            });
+        }
+    }
+}

DigitalData.Core.Security/RSAKey/RSAEncryptor.cs

@@ -0,0 +1,20 @@
+using DigitalData.Core.Abstractions.Security;
+using System.Reflection;
+using System.Security.Cryptography;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSAEncryptor : RSAPublicKey, IAsymmetricEncryptor
+    {
+        public RSAEncryptionPadding Padding { get; init; } = RSAEncryptionPadding.OaepSHA256;
+
+        // TODO: add as json converter to IConfigurIConfiguration.Config
+        public string PaddingName
+        {
+            get => Padding.ToString();
+            init => Padding = typeof(RSAEncryptionPadding).GetProperty(value, BindingFlags.Public | BindingFlags.Static)?.GetValue(null) as RSAEncryptionPadding ?? throw new ArgumentException($"Padding '{value}' not found.");
+        }
+
+        public byte[] Encrypt(byte[] data) => RSA.Encrypt(data, Padding);
+    }
+}

DigitalData.Core.Security/RSAKey/RSAFactory.cs

@@ -0,0 +1,66 @@
+using DigitalData.Core.Abstractions.Security;
+using DigitalData.Core.Security.Config;
+using Microsoft.Extensions.Options;
+using System.Security.Cryptography;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSAFactory<TRSAFactoryParams> : IAsymmetricKeyFactory where TRSAFactoryParams : RSAFactoryParams
+    {
+        protected readonly TRSAFactoryParams _params;
+
+        public RSAFactory(IOptions<TRSAFactoryParams> options)
+        {
+            options.Value.Init();
+            _params = options.Value;
+        }
+
+        public string CreatePrivateKeyPem(int? keySizeInBits = null, bool encrypt = false) => encrypt
+            ? CreateEncryptedPrivateKeyPem(keySizeInBits: keySizeInBits)
+            : RSA.Create(keySizeInBits ?? _params.KeySizeInBits).ExportRSAPrivateKeyPem();
+
+        public string CreateEncryptedPrivateKeyPem(
+            PbeEncryptionAlgorithm? pbeEncryptionAlgorithm = null,
+            HashAlgorithmName? hashAlgorithmName = null,
+            int? iterationCount = null,
+            int? keySizeInBits = null,
+            string? password = null)
+        {
+            password ??= _params.PbePassword;
+
+            var pbeParameters = pbeEncryptionAlgorithm is null && hashAlgorithmName is null && iterationCount is null
+                ? new PbeParameters(
+                    pbeEncryptionAlgorithm ?? _params.PbeEncryptionAlgorithm,
+                    hashAlgorithmName ?? _params.PbeHashAlgorithm,
+                    iterationCount ?? _params.PbeIterationCount)
+                : _params.PbeParameters;
+
+            var encryptedPrivateKey = RSA.Create(keySizeInBits ?? _params.KeySizeInBits).ExportEncryptedPkcs8PrivateKey(password.AsSpan(), pbeParameters);
+
+            var pemChars = PemEncoding.Write(_params.EncryptedPrivateKeyPemLabel, encryptedPrivateKey);
+
+            return new string(pemChars);
+        }
+
+        public string CreateEncryptedPrivateKeyPem(
+            PbeParameters pbeParameters,
+            int? keySizeInBits = null,
+            string? password = null)
+        {
+            password ??= _params.PbePassword;
+
+            var encryptedPrivateKey = RSA.Create(keySizeInBits ?? _params.KeySizeInBits).ExportEncryptedPkcs8PrivateKey(password.AsSpan(), pbeParameters);
+
+            var pemChars = PemEncoding.Write(_params.EncryptedPrivateKeyPemLabel, encryptedPrivateKey);
+
+            return new string(pemChars);
+        }
+
+        public IAsymmetricDecryptor CreateDecryptor(string pem, string? issuer = null, string? audience = null, bool encrypt = false, RSAEncryptionPadding? padding = null) => new RSADecryptor()
+        {
+            Content = pem,
+            IsEncrypted = encrypt,
+            Padding = padding ?? RSAEncryptionPadding.OaepSHA256
+        };
+    }
+}

DigitalData.Core.Security/RSAKey/RSAKeyBase.cs

@@ -0,0 +1,16 @@
+using DigitalData.Core.Abstractions.Security;
+using System.Security.Cryptography;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSAKeyBase : IAsymmetricKey
+    {
+#pragma warning disable CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+        public virtual string Content { get; init; }
+#pragma warning restore CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+
+        public string? Id { get; init; }
+
+        protected virtual RSA RSA { get; } = RSA.Create();
+    }
+}

DigitalData.Core.Security/RSAKey/RSAPrivateKey.cs

@@ -0,0 +1,55 @@
+using DigitalData.Core.Abstractions.Security;
+using System.Security.Cryptography;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSAPrivateKey : RSAKeyBase, IAsymmetricPrivateKey, IAsymmetricKey
+    {
+        private string? _pem;
+
+        public override string Content
+        {
+#pragma warning disable CS8603 // Possible null reference return.
+            get => _pem;
+#pragma warning restore CS8603 // Possible null reference return.
+            init
+            {
+                _pem = value;
+                Init();
+            }
+        }
+
+        public bool IsPemNull => _pem is null;
+
+        public bool IsEncrypted { get; init; }
+
+        protected TPublicKey CreatePublicKey<TPublicKey>() where TPublicKey : RSAPublicKey, new()
+            => new() { Content = RSA.ExportRSAPublicKeyPem() };
+
+        private readonly Lazy<RSAPublicKey> _lazyPublicKey;
+
+        public IAsymmetricPublicKey PublicKey => _lazyPublicKey.Value;
+
+        public RSAPrivateKey()
+        {
+            _lazyPublicKey = new(CreatePublicKey<RSAPublicKey>);
+        }
+
+        internal void SetPem(string pem)
+        {
+            _pem = pem;
+            Init();
+        }
+
+        private void Init()
+        {
+            if (string.IsNullOrEmpty(_pem))
+                throw new InvalidOperationException ($"The content of RSA private key is null or empty. Id: {Id}.");
+
+            if (IsEncrypted)
+                RSA.ImportFromEncryptedPem(Content, Secrets.PBE_PASSWORD.AsSpan());
+            else
+                RSA.ImportFromPem(Content);
+        }
+    }
+}

DigitalData.Core.Security/RSAKey/RSAPublicKey.cs

@@ -0,0 +1,17 @@
+using DigitalData.Core.Abstractions.Security;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSAPublicKey : RSAKeyBase, IAsymmetricPublicKey, IAsymmetricKey
+    {
+        public override string Content 
+        {
+            get => base.Content;
+            init
+            {
+                base.Content = value;
+                RSA.ImportFromPem(value);
+            }
+        }
+    }
+}

DigitalData.Core.Security/RSAKey/RSATokenDescriptor.cs

@@ -0,0 +1,119 @@
+using DigitalData.Core.Abstractions.Security;
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    /// <summary>
+    /// Contains some information which used to create a security token. Designed to abstract <see cref="SecurityTokenDescriptor"/>
+    /// </summary>
+    public class RSATokenDescriptor : RSAPrivateKey, IAsymmetricTokenDescriptor
+    {
+        private readonly Lazy<RSATokenValidator> _lazyTokenValidator;
+
+        public IAsymmetricTokenValidator Validator => _lazyTokenValidator.Value;
+
+        public required TimeSpan Lifetime { get; init; }
+
+        #region SecurityTokenDescriptor Map
+        /// <summary>
+        /// Gets or sets the value of the 'audience' claim.
+        /// </summary>
+        public required string Audience { get; set; }
+
+        /// <summary>
+        /// Defines the compression algorithm that will be used to compress the JWT token payload.
+        /// </summary>
+        public string CompressionAlgorithm { get; set; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="EncryptingCredentials"/> used to create a encrypted security token.
+        /// </summary>
+        public EncryptingCredentials EncryptingCredentials { get; set; }
+
+        /// <summary>
+        /// Gets or sets the value of the 'expiration' claim. This value should be in UTC.
+        /// The expiration time is the sum of DateTime.Now and LifeTime.
+        /// </summary>
+        public DateTime? Expires => DateTime.Now.AddTicks(Lifetime.Ticks);
+
+        /// <summary>
+        /// Gets or sets the issuer of this <see cref="SecurityTokenDescriptor"/>.
+        /// </summary>
+        public required string Issuer { get; set; }
+
+        /// <summary>
+        /// Gets or sets the time the security token was issued. This value should be in UTC.
+        /// </summary>
+        public DateTime? IssuedAt { get; set; }
+
+        /// <summary>
+        /// Gets or sets the notbefore time for the security token. This value should be in UTC.
+        /// </summary>
+        public DateTime? NotBefore { get; set; }
+
+        /// <summary>
+        /// Gets or sets the token type.
+        /// <remarks> If provided, this will be added as the value for the 'typ' header parameter. In the case of a JWE, this will be added to both the inner (JWS) and the outer token (JWE) header. By default, the value used is 'JWT'.
+        /// If <see cref="AdditionalHeaderClaims"/> also contains 'typ' header claim value, it will override the TokenType provided here.
+        /// This value is used only for JWT tokens and not for SAML/SAML2 tokens</remarks>
+        /// </summary>
+        public string TokenType { get; set; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="Dictionary{TKey, TValue}"/> which contains any custom header claims that need to be added to the JWT token header.
+        /// The 'alg', 'kid', 'x5t', 'enc', and 'zip' claims are added by default based on the <see cref="SigningCredentials"/>,
+        /// <see cref="EncryptingCredentials"/>, and/or <see cref="CompressionAlgorithm"/> provided and SHOULD NOT be included in this dictionary as this
+        /// will result in an exception being thrown. 
+        /// <remarks> These claims are only added to the outer header (in case of a JWE).</remarks>
+        /// </summary>
+        public IDictionary<string, object> AdditionalHeaderClaims { get; set; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="Dictionary{TKey, TValue}"/> which contains any custom header claims that need to be added to the inner JWT token header.
+        /// The 'alg', 'kid', 'x5t', 'enc', and 'zip' claims are added by default based on the <see cref="SigningCredentials"/>,
+        /// <see cref="EncryptingCredentials"/>, and/or <see cref="CompressionAlgorithm"/> provided and SHOULD NOT be included in this dictionary as this
+        /// will result in an exception being thrown. 
+        /// <remarks>
+        /// For JsonWebTokenHandler, these claims are merged with <see cref="AdditionalHeaderClaims"/> while adding to the inner JWT header.
+        /// </remarks>
+        /// </summary>
+        public IDictionary<string, object> AdditionalInnerHeaderClaims { get; set; }
+
+        /// <summary>
+        /// Gets or sets the <see cref="SigningCredentials"/> used to create a security token.
+        /// </summary>
+        public SigningCredentials SigningCredentials => _lazySigningCredentials.Value;
+        #endregion SecurityTokenDescriptor
+
+        private readonly Lazy<RsaSecurityKey> _lazyRsaSecurityKey;
+
+        public SecurityKey SecurityKey => _lazyRsaSecurityKey.Value;
+
+        private readonly Lazy<SigningCredentials> _lazySigningCredentials;
+
+        /// <summary>
+        /// Specifies the signature algorithm to be applied to the <see cref="SigningCredentials"/>.
+        /// Default is <see cref="SecurityAlgorithms.RsaSha256"/>.
+        /// </summary>
+        public string SigningAlgorithm { get; init; } = SecurityAlgorithms.RsaSha256;
+
+        /// <summary>
+        /// Optionally specifies the digest algorithm to be applied during the signing process for the <see cref="SigningCredentials"/>.
+        /// If not provided, the default algorithm is used.
+        /// </summary>
+        public string? SigningDigest { get; init; }
+
+#pragma warning disable CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+        public RSATokenDescriptor()
+#pragma warning restore CS8618 // Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
+        {
+            _lazyTokenValidator = new(CreatePublicKey<RSATokenValidator>);
+
+            _lazyRsaSecurityKey = new(() => new RsaSecurityKey(RSA));
+
+            _lazySigningCredentials = new(() => SigningDigest is null
+                ? new(SecurityKey, SigningAlgorithm)
+                : new(SecurityKey, SigningAlgorithm, SigningDigest));
+        }
+    }
+}

DigitalData.Core.Security/RSAKey/RSATokenValidator.cs

@@ -0,0 +1,17 @@
+using DigitalData.Core.Abstractions.Security;
+using Microsoft.IdentityModel.Tokens;
+
+namespace DigitalData.Core.Security.RSAKey
+{
+    public class RSATokenValidator : RSAPublicKey, IAsymmetricTokenValidator
+    {
+        private readonly Lazy<RsaSecurityKey> _lazyRsaSecurityKey;
+
+        public SecurityKey SecurityKey => _lazyRsaSecurityKey.Value;
+
+        public RSATokenValidator()
+        {
+            _lazyRsaSecurityKey = new(() => new RsaSecurityKey(RSA));
+        }
+    }
+}

DigitalData.Core.sln

@@ -23,9 +23,9 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DigitalData.Core.Legacy.Cli
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "DigitalData.Core.Security", "DigitalData.Core.Security\DigitalData.Core.Security.csproj", "{47D80C65-74A2-4EB8-96A5-D571A9108FB3}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "DigitalData.Core.Security.Extensions", "DigitalData.Core.Security.Extensions\DigitalData.Core.Security.Extensions.csproj", "{D740182D-82DA-480A-9F87-BFB4A8620A00}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "DigitalData.Core.Terminal", "DigitalData.Core.Terminal\DigitalData.Core.Terminal.csproj", "{0FA93730-8084-4907-B172-87D610323796}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DigitalData.Core.Terminal", "DigitalData.Core.Terminal\DigitalData.Core.Terminal.csproj", "{0FA93730-8084-4907-B172-87D610323796}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "DigitalData.Core.Tests.API", "DigitalData.Core.Tests.API\DigitalData.Core.Tests.API.csproj", "{9BC2DEC5-E89D-48CC-9A51-4D94496EE4A6}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
@@ -68,18 +68,18 @@ Global
 		{E009A053-A9F4-48F2-984F-EF5C376A9B14}.Debug|Any CPU.Build.0 = Release|Any CPU
 		{E009A053-A9F4-48F2-984F-EF5C376A9B14}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{E009A053-A9F4-48F2-984F-EF5C376A9B14}.Release|Any CPU.Build.0 = Release|Any CPU
-		{47D80C65-74A2-4EB8-96A5-D571A9108FB3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{47D80C65-74A2-4EB8-96A5-D571A9108FB3}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{47D80C65-74A2-4EB8-96A5-D571A9108FB3}.Debug|Any CPU.ActiveCfg = Release|Any CPU
+		{47D80C65-74A2-4EB8-96A5-D571A9108FB3}.Debug|Any CPU.Build.0 = Release|Any CPU
 		{47D80C65-74A2-4EB8-96A5-D571A9108FB3}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{47D80C65-74A2-4EB8-96A5-D571A9108FB3}.Release|Any CPU.Build.0 = Release|Any CPU
-		{D740182D-82DA-480A-9F87-BFB4A8620A00}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{D740182D-82DA-480A-9F87-BFB4A8620A00}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{D740182D-82DA-480A-9F87-BFB4A8620A00}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{D740182D-82DA-480A-9F87-BFB4A8620A00}.Release|Any CPU.Build.0 = Release|Any CPU
 		{0FA93730-8084-4907-B172-87D610323796}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{0FA93730-8084-4907-B172-87D610323796}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{0FA93730-8084-4907-B172-87D610323796}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{0FA93730-8084-4907-B172-87D610323796}.Release|Any CPU.Build.0 = Release|Any CPU
+		{9BC2DEC5-E89D-48CC-9A51-4D94496EE4A6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{9BC2DEC5-E89D-48CC-9A51-4D94496EE4A6}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{9BC2DEC5-E89D-48CC-9A51-4D94496EE4A6}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{9BC2DEC5-E89D-48CC-9A51-4D94496EE4A6}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE