Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dispose object in JsonWebTokenHandler.CreateToken.cs #3064

Closed
wants to merge 2 commits into from
Closed

Dispose object in JsonWebTokenHandler.CreateToken.cs #3064

wants to merge 2 commits into from

Conversation

gparametr
Copy link
Contributor

var kwp = key.CryptoProviderFactory.CreateKeyWrapProviderForUnwrap();

'kwp' becomes out of scope and is not disposed.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

@gparametr
Dispose object in JsonWebTokenHandler.CreateToken.cs
2dacae6 
var kwp = key.CryptoProviderFactory.CreateKeyWrapProviderForUnwrap();

'kwp' becomes out of scope and is not disposed.
@gparametr gparametr requested a review from a team as a code owner December 19, 2024 12:59
@pmaytak pmaytak requested a review from Copilot December 20, 2024 21:49
Copilot
Copilot AI reviewed Dec 20, 2024
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.
pmaytak
pmaytak requested changes Dec 28, 2024
View reviewed changes
src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.CreateToken.cs
@@ -1365,15 +1365,15 @@ internal IEnumerable<SecurityKey> GetContentEncryptionKeys(JsonWebToken jwtToken
jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Apu, out string apu);
jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Apv, out string apv);
SecurityKey kdf = ecdhKeyExchangeProvider.GenerateKdf(apu, apv);
var kwp = key.CryptoProviderFactory.CreateKeyWrapProviderForUnwrap(kdf, ecdhKeyExchangeProvider.GetEncryptionAlgorithm());
using var kwp = key.CryptoProviderFactory.CreateKeyWrapProviderForUnwrap(kdf, ecdhKeyExchangeProvider.GetEncryptionAlgorithm());
Copy link
Contributor

@pmaytak pmaytak Dec 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is the right change - we shouldn't dispose here.

CryptoProviderFactory.CreateKeyWrapProviderForUnwrap ends up calling CustomCryptoProvider.Create if it was set. CustomCryptoProvider implements ICryptoProvider which has a Create and a Release. So the interface intends for the creator to release the provider.

The more appropriate change would probably be to call CryptoProviderFactory.ReleaseKeyWrapProvider maybe in the finally.

cc @brentschmaltz

@pmaytak pmaytak closed this Jan 8, 2025
gparametr pushed a commit to gparametr/azure-activedirectory-identitymodel-extensions-for-dotnet that referenced this pull request Jan 10, 2025
JsonWebTokenHandler.CreateToken(): dispose KeyWrapProvider.
7987b8d 
Base on comments from: AzureAD#3064
gparametr added a commit to gparametr/azure-activedirectory-identitymodel-extensions-for-dotnet that referenced this pull request Jan 10, 2025
@gparametr
JsonWebTokenHandler.CreateToken(): dispose KeyWrapProvider.
17383a0 
Based on comments from: AzureAD#3064
@gparametr gparametr mentioned this pull request Jan 10, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@pmaytak pmaytak pmaytak requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gparametr @pmaytak