From 41bf4a64cca2769b383896994db561a7d89b5cee Mon Sep 17 00:00:00 2001 From: Ignacio Inglese Date: Fri, 6 Sep 2024 16:08:30 +0100 Subject: [PATCH 1/6] Ported EcdhSa key changes from main path to VP one --- .../JsonWebTokenHandler.DecryptToken.cs | 44 ++++++++++++++----- 1 file changed, 32 insertions(+), 12 deletions(-) diff --git a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs index 85e46043c5..b32293a29f 100644 --- a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs +++ b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs @@ -170,18 +170,38 @@ internal Result DecryptToken( #if NET472 || NET6_0_OR_GREATER if (SupportedAlgorithms.EcdsaWrapAlgorithms.Contains(jwtToken.Alg)) { - // on decryption we get the public key from the EPK value see: https://datatracker.ietf.org/doc/html/rfc7518#appendix-C - var ecdhKeyExchangeProvider = new EcdhKeyExchangeProvider( - key as ECDsaSecurityKey, - validationParameters.EphemeralDecryptionKey as ECDsaSecurityKey, - jwtToken.Alg, - jwtToken.Enc); - jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Apu, out string apu); - jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Apv, out string apv); - SecurityKey kdf = ecdhKeyExchangeProvider.GenerateKdf(apu, apv); - var kwp = key.CryptoProviderFactory.CreateKeyWrapProviderForUnwrap(kdf, ecdhKeyExchangeProvider.GetEncryptionAlgorithm()); - var unwrappedKey = kwp.UnwrapKey(Base64UrlEncoder.DecodeBytes(jwtToken.EncryptedKey)); - unwrappedKeys.Add(new SymmetricSecurityKey(unwrappedKey)); + ECDsaSecurityKey? publicKey; + + // Since developers may have already worked around this issue, implicitly taking a dependency on the + // old behavior, we guard the new behavior behind an AppContext switch. The new/RFC-conforming behavior + // is treated as opt-in. When the library is at the point where it is able to make breaking changes + // (such as the next major version update) we should consider whether or not this app-compat switch + // needs to be maintained. + if (AppContextSwitches.UseRfcDefinitionOfEpkAndKid) + { + // on decryption we get the public key from the EPK value see: https://datatracker.ietf.org/doc/html/rfc7518#appendix-C + jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Epk, out string epk); + publicKey = new ECDsaSecurityKey(new JsonWebKey(epk), false); + } + else + { + publicKey = validationParameters.EphemeralDecryptionKey as ECDsaSecurityKey; + } + + if (publicKey is not null) + { + var ecdhKeyExchangeProvider = new EcdhKeyExchangeProvider( + key as ECDsaSecurityKey, + publicKey, + jwtToken.Alg, + jwtToken.Enc); + jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Apu, out string apu); + jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Apv, out string apv); + SecurityKey kdf = ecdhKeyExchangeProvider.GenerateKdf(apu, apv); + var kwp = key.CryptoProviderFactory.CreateKeyWrapProviderForUnwrap(kdf, ecdhKeyExchangeProvider.GetEncryptionAlgorithm()); + var unwrappedKey = kwp.UnwrapKey(Base64UrlEncoder.DecodeBytes(jwtToken.EncryptedKey)); + unwrappedKeys.Add(new SymmetricSecurityKey(unwrappedKey)); + } } else #endif From 5aefe950c97b24411232d2f0651039b6a2979a71 Mon Sep 17 00:00:00 2001 From: Ignacio Inglese Date: Fri, 6 Sep 2024 16:09:08 +0100 Subject: [PATCH 2/6] Added regression tests using JWE --- ...ebTokenHandlerValidationParametersTests.cs | 114 +++++++++++++++++- 1 file changed, 113 insertions(+), 1 deletion(-) diff --git a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs index 1a4c36f830..4249d47739 100644 --- a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs +++ b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs @@ -1,12 +1,14 @@ // Copyright (c) Microsoft Corporation. All rights reserved. // Licensed under the MIT License. +using System; using System.Collections.Generic; using System.Security.Claims; using System.Threading; using System.Threading.Tasks; using Microsoft.IdentityModel.TestUtils; using Microsoft.IdentityModel.Tokens; +using Newtonsoft.Json.Linq; using Xunit; namespace Microsoft.IdentityModel.JsonWebTokens.Tests @@ -53,7 +55,9 @@ await jsonWebTokenHandler.ValidateTokenAsync( if (validationParametersResult.IsSuccess != theoryData.ExpectedIsValid) context.AddDiff($"validationParametersResult.IsSuccess != theoryData.ExpectedIsValid"); - if (theoryData.ExpectedIsValid) + if (theoryData.ExpectedIsValid && + tokenValidationParametersResult.IsValid && + validationParametersResult.IsSuccess) { IdentityComparer.AreEqual( tokenValidationParametersResult.ClaimsIdentity, @@ -202,12 +206,95 @@ public static TheoryData Json "IDX10518:", innerTypeExpected: typeof(SecurityTokenInvalidAlgorithmException)) }, + new JsonWebTokenHandlerValidationParametersTheoryData("Valid_JWE") + { + EncryptingCredentials = new EncryptingCredentials( + KeyingMaterial.DefaultX509Key_2048, + SecurityAlgorithms.RsaPKCS1, + SecurityAlgorithms.Aes128CbcHmacSha256), + SigningCredentials = KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2, + TokenValidationParameters = CreateTokenValidationParameters( + Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key, + tokenDecryptionKey: KeyingMaterial.DefaultX509Key_2048), + ValidationParameters = CreateValidationParameters( + Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key, + tokenDecryptionKey: KeyingMaterial.DefaultX509Key_2048), + }, + new JsonWebTokenHandlerValidationParametersTheoryData("Valid_JWE_EcdhEs") + { + EncryptingCredentials = new EncryptingCredentials( + new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true), + SecurityAlgorithms.EcdhEsA256kw, + SecurityAlgorithms.Aes128CbcHmacSha256) + { + KeyExchangePublicKey = KeyingMaterial.JsonWebKeyP521_Public + }, + SigningCredentials = KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2, + AdditionalHeaderParams = AdditionalEcdhEsHeaderParameters(KeyingMaterial.JsonWebKeyP521_Public), + TokenValidationParameters = CreateTokenValidationParameters( + Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key, + tokenDecryptionKey: new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true)), + ValidationParameters = CreateValidationParameters( + Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key, + tokenDecryptionKey: new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true), + ephemeralDecryptionKey: new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true)), + }, + new JsonWebTokenHandlerValidationParametersTheoryData("Invalid_JWE_NoDecryptionKeys") + { + EncryptingCredentials = new EncryptingCredentials( + KeyingMaterial.DefaultX509Key_2048, + SecurityAlgorithms.RsaPKCS1, + SecurityAlgorithms.Aes128CbcHmacSha256), + SigningCredentials = KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2, + TokenValidationParameters = CreateTokenValidationParameters( + Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key), + ValidationParameters = CreateValidationParameters( + Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key), + ExpectedIsValid = false, + // TVP path returns a key wrap exception listing the 0 keys tried in the same way as if there had been more + // while VP path returns a decryption failed exception stating that no keys were tried. + ExpectedException = ExpectedException.SecurityTokenKeyWrapException("IDX10618:"), + ExpectedExceptionValidationParameters = ExpectedException.SecurityTokenDecryptionFailedException("IDX10609:"), + }, + new JsonWebTokenHandlerValidationParametersTheoryData("Invalid_JWE_WrongDecryptionKey") + { + EncryptingCredentials = new EncryptingCredentials( + KeyingMaterial.DefaultX509Key_2048, + SecurityAlgorithms.RsaPKCS1, + SecurityAlgorithms.Aes128CbcHmacSha256), + SigningCredentials = KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2, + TokenValidationParameters = CreateTokenValidationParameters( + Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key, + tokenDecryptionKey: KeyingMaterial.DefaultRsaSecurityKey1), + ValidationParameters = CreateValidationParameters( + Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key, + tokenDecryptionKey: KeyingMaterial.DefaultRsaSecurityKey1), + ExpectedIsValid = false, + ExpectedException = ExpectedException.SecurityTokenKeyWrapException("IDX10618:"), + }, + new JsonWebTokenHandlerValidationParametersTheoryData("Invalid_JWE_WrongDecryptionKey") + { + EncryptingCredentials = new EncryptingCredentials( + KeyingMaterial.DefaultX509Key_2048, + SecurityAlgorithms.RsaPKCS1, + SecurityAlgorithms.Aes128CbcHmacSha256), + SigningCredentials = KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2, + TokenValidationParameters = CreateTokenValidationParameters( + Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key, + tokenDecryptionKey: KeyingMaterial.DefaultRsaSecurityKey1), + ValidationParameters = CreateValidationParameters( + Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key, + tokenDecryptionKey: KeyingMaterial.DefaultRsaSecurityKey1), + ExpectedIsValid = false, + ExpectedException = ExpectedException.SecurityTokenKeyWrapException("IDX10618:"), + }, }; static TokenValidationParameters CreateTokenValidationParameters( string issuer, List audiences, SecurityKey issuerSigningKey, + SecurityKey tokenDecryptionKey = null, List validAlgorithms = null, bool tryAllKeys = false) => new TokenValidationParameters { @@ -218,6 +305,7 @@ static TokenValidationParameters CreateTokenValidationParameters( ValidateTokenReplay = true, ValidateIssuerSigningKey = true, IssuerSigningKey = issuerSigningKey, + TokenDecryptionKey = tokenDecryptionKey, ValidAudiences = audiences, ValidIssuer = issuer, TryAllIssuerSigningKeys = tryAllKeys, @@ -227,6 +315,8 @@ static ValidationParameters CreateValidationParameters( string issuer, List audiences, SecurityKey issuerSigningKey, + SecurityKey tokenDecryptionKey = null, + SecurityKey ephemeralDecryptionKey = null, List validAlgorithms = null, bool tryAllKeys = false) { @@ -237,9 +327,31 @@ static ValidationParameters CreateValidationParameters( validationParameters.TryAllIssuerSigningKeys = tryAllKeys; if (validAlgorithms is not null) validationParameters.ValidAlgorithms = validAlgorithms; + if (tokenDecryptionKey is not null) + validationParameters.TokenDecryptionKeys = [tokenDecryptionKey]; + if (ephemeralDecryptionKey is not null) + validationParameters.EphemeralDecryptionKey = ephemeralDecryptionKey; return validationParameters; } + + static Dictionary AdditionalEcdhEsHeaderParameters(JsonWebKey publicKeySender) + { + var epkJObject = new JObject(); + epkJObject.Add(JsonWebKeyParameterNames.Kty, publicKeySender.Kty); + epkJObject.Add(JsonWebKeyParameterNames.Crv, publicKeySender.Crv); + epkJObject.Add(JsonWebKeyParameterNames.X, publicKeySender.X); + epkJObject.Add(JsonWebKeyParameterNames.Y, publicKeySender.Y); + + Dictionary additionalHeaderParams = new Dictionary() + { + { JsonWebTokens.JwtHeaderParameterNames.Apu, Guid.NewGuid().ToString() }, + { JsonWebTokens.JwtHeaderParameterNames.Apv, Guid.NewGuid().ToString() }, + { JsonWebTokens.JwtHeaderParameterNames.Epk, epkJObject.ToString(Newtonsoft.Json.Formatting.None) } + }; + + return additionalHeaderParams; + } } } From 2eafa7dfe269e7eb3197004ac9db3bdf84f5ded1 Mon Sep 17 00:00:00 2001 From: Ignacio Inglese Date: Fri, 6 Sep 2024 16:54:37 +0100 Subject: [PATCH 3/6] Wrapped EcdSa test within if block for unsupported versions --- .../JsonWebTokenHandlerValidationParametersTests.cs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs index 4249d47739..6662afa679 100644 --- a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs +++ b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs @@ -220,6 +220,7 @@ public static TheoryData Json Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key, tokenDecryptionKey: KeyingMaterial.DefaultX509Key_2048), }, +#if NET472 || NET6_0_OR_GREATER new JsonWebTokenHandlerValidationParametersTheoryData("Valid_JWE_EcdhEs") { EncryptingCredentials = new EncryptingCredentials( @@ -239,6 +240,7 @@ public static TheoryData Json tokenDecryptionKey: new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true), ephemeralDecryptionKey: new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true)), }, +#endif new JsonWebTokenHandlerValidationParametersTheoryData("Invalid_JWE_NoDecryptionKeys") { EncryptingCredentials = new EncryptingCredentials( From b5e84ae19ecbae8aef864b9ed4682c8ed1b7b657 Mon Sep 17 00:00:00 2001 From: Ignacio Inglese Date: Mon, 9 Sep 2024 15:09:52 +0100 Subject: [PATCH 4/6] Removed workaround for ecdsa encryption using ephemeral key in favour of the RFC approach. Updated tests. --- .../JsonWebTokenHandler.DecryptToken.cs | 21 +++------------- .../Validation/ValidationParameters.cs | 5 ---- .../JsonWebTokenHandler.DecryptTokenTests.cs | 24 ++++++++++++++++++- ...ebTokenHandlerValidationParametersTests.cs | 12 +++++----- 4 files changed, 32 insertions(+), 30 deletions(-) diff --git a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs index b32293a29f..7d1bb15cbb 100644 --- a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs +++ b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs @@ -170,24 +170,9 @@ internal Result DecryptToken( #if NET472 || NET6_0_OR_GREATER if (SupportedAlgorithms.EcdsaWrapAlgorithms.Contains(jwtToken.Alg)) { - ECDsaSecurityKey? publicKey; - - // Since developers may have already worked around this issue, implicitly taking a dependency on the - // old behavior, we guard the new behavior behind an AppContext switch. The new/RFC-conforming behavior - // is treated as opt-in. When the library is at the point where it is able to make breaking changes - // (such as the next major version update) we should consider whether or not this app-compat switch - // needs to be maintained. - if (AppContextSwitches.UseRfcDefinitionOfEpkAndKid) - { - // on decryption we get the public key from the EPK value see: https://datatracker.ietf.org/doc/html/rfc7518#appendix-C - jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Epk, out string epk); - publicKey = new ECDsaSecurityKey(new JsonWebKey(epk), false); - } - else - { - publicKey = validationParameters.EphemeralDecryptionKey as ECDsaSecurityKey; - } - + // on decryption we get the public key from the EPK value see: https://datatracker.ietf.org/doc/html/rfc7518#appendix-C + jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Epk, out string epk); + ECDsaSecurityKey? publicKey = new ECDsaSecurityKey(new JsonWebKey(epk), false); if (publicKey is not null) { var ecdhKeyExchangeProvider = new EcdhKeyExchangeProvider( diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/ValidationParameters.cs b/src/Microsoft.IdentityModel.Tokens/Validation/ValidationParameters.cs index e7f50bcb18..561d6588df 100644 --- a/src/Microsoft.IdentityModel.Tokens/Validation/ValidationParameters.cs +++ b/src/Microsoft.IdentityModel.Tokens/Validation/ValidationParameters.cs @@ -251,11 +251,6 @@ public virtual ClaimsIdentity CreateClaimsIdentity(SecurityToken securityToken, /// public string DebugId { get; set; } - /// - /// Gets the representing the ephemeral decryption key used for decryption by certain algorithms. - /// - public SecurityKey EphemeralDecryptionKey { get; set; } - /// /// Gets or sets a boolean that controls if a '/' is significant at the end of the audience. /// The default is true. diff --git a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.DecryptTokenTests.cs b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.DecryptTokenTests.cs index 0230ec0c16..d50425f265 100644 --- a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.DecryptTokenTests.cs +++ b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.DecryptTokenTests.cs @@ -2,6 +2,10 @@ // Licensed under the MIT License. using System; +#if NET472_OR_GREATER || NET6_0_OR_GREATER +using System.Collections.Generic; +using Newtonsoft.Json.Linq; +#endif using System.IdentityModel.Tokens.Jwt.Tests; using Microsoft.IdentityModel.Logging; using Microsoft.IdentityModel.TestUtils; @@ -93,10 +97,29 @@ public static TheoryData JsonWebTokenHandlerDecryptTo Expires = DateTime.MaxValue, NotBefore = DateTime.MinValue, IssuedAt = DateTime.MinValue, + AdditionalHeaderClaims = AdditionalEcdhEsHeaderParameters(KeyingMaterial.JsonWebKeyP256_Public), }; var jsonWebTokenHandler = new JsonWebTokenHandler(); var ecdsaToken = new JsonWebToken(jsonWebTokenHandler.CreateToken(ecdsaTokenDescriptor)); + + static Dictionary AdditionalEcdhEsHeaderParameters(JsonWebKey publicKeySender) + { + var epkJObject = new JObject(); + epkJObject.Add(JsonWebKeyParameterNames.Kty, publicKeySender.Kty); + epkJObject.Add(JsonWebKeyParameterNames.Crv, publicKeySender.Crv); + epkJObject.Add(JsonWebKeyParameterNames.X, publicKeySender.X); + epkJObject.Add(JsonWebKeyParameterNames.Y, publicKeySender.Y); + + Dictionary additionalHeaderParams = new Dictionary() + { + { JsonWebTokens.JwtHeaderParameterNames.Apu, Guid.NewGuid().ToString() }, + { JsonWebTokens.JwtHeaderParameterNames.Apv, Guid.NewGuid().ToString() }, + { JsonWebTokens.JwtHeaderParameterNames.Epk, epkJObject.ToString(Newtonsoft.Json.Formatting.None) } + }; + + return additionalHeaderParams; + } #endif return new TheoryData @@ -173,7 +196,6 @@ public static TheoryData JsonWebTokenHandlerDecryptTo ValidationParameters = new ValidationParameters { TokenDecryptionKeys = [new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP256, true)], - EphemeralDecryptionKey = new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP256, true) }, Result = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJleHAiOjI1MzQwMjMwMDgwMCwiaWF0IjowLCJuYmYiOjB9." }, diff --git a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs index 6662afa679..ce2fae56c2 100644 --- a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs +++ b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs @@ -1,14 +1,16 @@ // Copyright (c) Microsoft Corporation. All rights reserved. // Licensed under the MIT License. +#if NET472_OR_GREATER || NET6_0_OR_GREATER using System; +using Newtonsoft.Json.Linq; +#endif using System.Collections.Generic; using System.Security.Claims; using System.Threading; using System.Threading.Tasks; using Microsoft.IdentityModel.TestUtils; using Microsoft.IdentityModel.Tokens; -using Newtonsoft.Json.Linq; using Xunit; namespace Microsoft.IdentityModel.JsonWebTokens.Tests @@ -237,8 +239,7 @@ public static TheoryData Json tokenDecryptionKey: new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true)), ValidationParameters = CreateValidationParameters( Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key, - tokenDecryptionKey: new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true), - ephemeralDecryptionKey: new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true)), + tokenDecryptionKey: new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true)), }, #endif new JsonWebTokenHandlerValidationParametersTheoryData("Invalid_JWE_NoDecryptionKeys") @@ -318,7 +319,6 @@ static ValidationParameters CreateValidationParameters( List audiences, SecurityKey issuerSigningKey, SecurityKey tokenDecryptionKey = null, - SecurityKey ephemeralDecryptionKey = null, List validAlgorithms = null, bool tryAllKeys = false) { @@ -331,12 +331,11 @@ static ValidationParameters CreateValidationParameters( validationParameters.ValidAlgorithms = validAlgorithms; if (tokenDecryptionKey is not null) validationParameters.TokenDecryptionKeys = [tokenDecryptionKey]; - if (ephemeralDecryptionKey is not null) - validationParameters.EphemeralDecryptionKey = ephemeralDecryptionKey; return validationParameters; } +#if NET472 || NET6_0_OR_GREATER static Dictionary AdditionalEcdhEsHeaderParameters(JsonWebKey publicKeySender) { var epkJObject = new JObject(); @@ -354,6 +353,7 @@ static Dictionary AdditionalEcdhEsHeaderParameters(JsonWebKey pu return additionalHeaderParams; } +#endif } } From f36226036b523d825d429092975f2f503609f82d Mon Sep 17 00:00:00 2001 From: Ignacio Inglese Date: Tue, 10 Sep 2024 21:27:53 +0100 Subject: [PATCH 5/6] Fixed failing test due to changed behaviour. --- .../JsonWebTokenHandlerValidationParametersTests.cs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs index 0ff75e26d1..75a740196c 100644 --- a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs +++ b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerValidationParametersTests.cs @@ -254,10 +254,7 @@ public static TheoryData Json ValidationParameters = CreateValidationParameters( Default.Issuer, [Default.Audience], KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2.Key), ExpectedIsValid = false, - // TVP path returns a key wrap exception listing the 0 keys tried in the same way as if there had been more - // while VP path returns a decryption failed exception stating that no keys were tried. - ExpectedException = ExpectedException.SecurityTokenKeyWrapException("IDX10618:"), - ExpectedExceptionValidationParameters = ExpectedException.SecurityTokenDecryptionFailedException("IDX10609:"), + ExpectedException = ExpectedException.SecurityTokenDecryptionFailedException("IDX10609:"), }, new JsonWebTokenHandlerValidationParametersTheoryData("Invalid_JWE_WrongDecryptionKey") { From b7cc7b05aebbce998cee2e41baa8b1ed41deb864 Mon Sep 17 00:00:00 2001 From: Ignacio Inglese Date: Tue, 10 Sep 2024 21:28:09 +0100 Subject: [PATCH 6/6] Added missing exception type --- .../Validation/Results/Details/ValidationError.cs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/Results/Details/ValidationError.cs b/src/Microsoft.IdentityModel.Tokens/Validation/Results/Details/ValidationError.cs index 653d6ff22b..636ced2add 100644 --- a/src/Microsoft.IdentityModel.Tokens/Validation/Results/Details/ValidationError.cs +++ b/src/Microsoft.IdentityModel.Tokens/Validation/Results/Details/ValidationError.cs @@ -135,6 +135,8 @@ private Exception GetException(Type exceptionType, Exception innerException) exception = new SecurityTokenInvalidAlgorithmException(MessageDetail.Message); else if (exceptionType == typeof(SecurityTokenException)) exception = new SecurityTokenException(MessageDetail.Message); + else if (exceptionType == typeof(SecurityTokenKeyWrapException)) + exception = new SecurityTokenKeyWrapException(MessageDetail.Message); } else { @@ -182,6 +184,8 @@ private Exception GetException(Type exceptionType, Exception innerException) exception = new SecurityTokenInvalidAlgorithmException(MessageDetail.Message, actualException); else if (exceptionType == typeof(SecurityTokenException)) exception = new SecurityTokenException(MessageDetail.Message, actualException); + else if (exceptionType == typeof(SecurityTokenKeyWrapException)) + exception = new SecurityTokenKeyWrapException(MessageDetail.Message, actualException); } return exception;