Private/ConvertFrom-Jwk.ps1

function ConvertFrom-Jwk {
    [CmdletBinding(DefaultParameterSetName='JSON')]
    [OutputType('System.Security.Cryptography.AsymmetricAlgorithm')]
    param(
        [Parameter(ParameterSetName='JSON',Mandatory,Position=0,ValueFromPipeline)]
        [string]$JwkJson,
        [Parameter(ParameterSetName='Object',Mandatory,Position=0,ValueFromPipeline)]
        [pscustomobject]$Jwk
    )

    # RFC 7515 - JSON Web Key (JWK)
    # https://tools.ietf.org/html/rfc7517

    # Support enough of a subset of RFC 7515 to implement the ACME v2
    # protocol.
    # https://tools.ietf.org/html/draft-ietf-acme-acme-10

    # This basically includes RSA keys 2048-4096 bits and EC keys utilizing
    # P-256, P-384, or P-521 curves.

    Process {

        if ($PSCmdlet.ParameterSetName -eq 'JSON') {
            try {
                $Jwk = $JwkJson | ConvertFrom-Json
            } catch { throw }
        }

        if ('kty' -notin $Jwk.PSObject.Properties.Name) {
            throw "Invalid JWK. No 'kty' element found."
        }

        # create a KeyParameters object from the values given for each key type
        switch ($Jwk.kty) {

            'RSA' {
                $keyParams = New-Object Security.Cryptography.RSAParameters

                # make sure we have the required public key parameters per
                # https://tools.ietf.org/html/rfc7518#section-6.3.1
                $hasE = ![string]::IsNullOrWhiteSpace($Jwk.e)
                $hasN = ![string]::IsNullOrWhiteSpace($Jwk.n)
                if ($hasE -and $hasN) {
                    $keyParams.Exponent = $Jwk.e  | ConvertFrom-Base64Url -AsByteArray
                    $keyParams.Modulus  = $Jwk.n  | ConvertFrom-Base64Url -AsByteArray
                } else {
                    throw "Invalid RSA JWK. Missing one or more public key parameters."
                }

                # Add the private key parameters if they were included
                # Per https://tools.ietf.org/html/rfc7518#section-6.3.2,
                # 'd' is the only required private parameter. The rest SHOULD
                # be included and if any *are* included then they all MUST be included.
                # HOWEVER, Microsoft's RSA implementation either can't or won't create
                # a private key unless all (d,p,q,dp,dq,qi) are included.
                $hasD = ![string]::IsNullOrWhiteSpace($Jwk.D)
                $hasP = ![string]::IsNullOrWhiteSpace($Jwk.P)
                $hasQ = ![string]::IsNullOrWhiteSpace($Jwk.Q)
                $hasDP = ![string]::IsNullOrWhiteSpace($Jwk.DP)
                $hasDQ = ![string]::IsNullOrWhiteSpace($Jwk.DQ)
                $hasQI = ![string]::IsNullOrWhiteSpace($Jwk.QI)
                if ($hasD -and $hasP -and $hasQ -and $hasDP -and $hasDQ -and $hasQI) {
                    $keyParams.D        = $Jwk.d  | ConvertFrom-Base64Url -AsByteArray
                    $keyParams.P        = $Jwk.p  | ConvertFrom-Base64Url -AsByteArray
                    $keyParams.Q        = $Jwk.q  | ConvertFrom-Base64Url -AsByteArray
                    $keyParams.DP       = $Jwk.dp | ConvertFrom-Base64Url -AsByteArray
                    $keyParams.DQ       = $Jwk.dq | ConvertFrom-Base64Url -AsByteArray
                    $keyParams.InverseQ = $Jwk.qi | ConvertFrom-Base64Url -AsByteArray
                } elseif ($hasD -or $hasP -or $hasQ -or $hasDP -or $hasDQ -or $hasQI) {
                    throw "Invalid RSA JWK. Incomplete set of private key parameters."
                }

                # create the key
                $key = New-Object Security.Cryptography.RSACryptoServiceProvider
                $key.ImportParameters($keyParams)
                break;
            }

            'EC' {
                # check for a valid curve
                if ('crv' -notin $Jwk.PSObject.Properties.Name) {
                    throw "Invalid JWK. No 'crv' found for key type EC."
                }
                switch ($Jwk.crv) {
                    'P-256' {
                        # nistP256 / ECDSA_P256 / secP256r1 / x962P256v1
                        $Curve = [Security.Cryptography.ECCurve]::CreateFromValue('1.2.840.10045.3.1.7')
                        $HashAlgo = [Security.Cryptography.CngAlgorithm]::SHA256
                        break;
                    }
                    'P-384' {
                        # nistP384 / ECDSA_P384 / secP384r1
                        $Curve = [Security.Cryptography.ECCurve]::CreateFromValue('1.3.132.0.34')
                        $HashAlgo = [Security.Cryptography.CngAlgorithm]::SHA384
                        break;
                    }
                    'P-521' {
                        # nistP521 / ECDSA_P521
                        $Curve = [Security.Cryptography.ECCurve]::CreateFromValue('1.3.132.0.35')
                        $HashAlgo = [Security.Cryptography.CngAlgorithm]::SHA512
                        break;
                    }
                    default {
                        throw "Unsupported JWK curve (crv) found."
                    }
                }

                # make sure we have the required public key parameters per
                # https://tools.ietf.org/html/rfc7518#section-6.2.1
                $hasX = ![string]::IsNullOrWhiteSpace($Jwk.x)
                $hasY = ![string]::IsNullOrWhiteSpace($Jwk.y)
                if ($hasX -and $hasY) {
                    $Q = New-Object Security.Cryptography.ECPoint
                    $Q.X = $Jwk.x | ConvertFrom-Base64Url -AsByteArray
                    $Q.Y = $Jwk.y | ConvertFrom-Base64Url -AsByteArray
                    $keyParams = New-Object Security.Cryptography.ECParameters
                    $keyParams.Q = $Q
                    $keyParams.Curve = $Curve
                } else {
                    throw "Invalid EC JWK. Missing one or more public key parameters."
                }

                # add the private key parameter
                if (![string]::IsNullOrWhiteSpace($Jwk.d)) {
                    $keyParams.D = $Jwk.d | ConvertFrom-Base64Url -AsByteArray
                }

                # create the key
                $key = [Security.Cryptography.ECDsa]::Create()
                $key.ImportParameters($keyParams)
                $key.HashAlgorithm = $HashAlgo
                break;
            }
            default {
                throw "Unsupported JWK key type (kty) found."
            }
        }

        # return the key
        return $key
    }
}