Add tests.

Author: pmaytak

src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.CreateToken.cs

@@ -1335,60 +1335,62 @@ internal IEnumerable<SecurityKey> GetContentEncryptionKeys(JsonWebToken jwtToken
             // keep track of exceptions thrown, keys that were tried
             StringBuilder exceptionStrings = null;
             StringBuilder keysAttempted = null;
-            foreach (var key in keys)
+            if (keys != null)
             {
-                try
+                foreach (var key in keys)
                 {
-#if NET472 || NET6_0_OR_GREATER
-                    if (SupportedAlgorithms.EcdsaWrapAlgorithms.Contains(jwtToken.Alg))
+                    try
                     {
-                        ECDsaSecurityKey publicKey;
-
-                        // Since developers may have already worked around this issue, implicitly taking a dependency on the
-                        // old behavior, we guard the new behavior behind an AppContext switch. The new/RFC-conforming behavior
-                        // is treated as opt-in. When the library is at the point where it is able to make breaking changes
-                        // (such as the next major version update) we should consider whether or not this app-compat switch
-                        // needs to be maintained.
-                        if (AppContextSwitches.UseRfcDefinitionOfEpkAndKid)
+#if NET472 || NET6_0_OR_GREATER
+                        if (SupportedAlgorithms.EcdsaWrapAlgorithms.Contains(jwtToken.Alg))
                         {
-                            // on decryption we get the public key from the EPK value see: https://datatracker.ietf.org/doc/html/rfc7518#appendix-C
-                            jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Epk, out string epk);
-                            publicKey = new ECDsaSecurityKey(new JsonWebKey(epk), false);
+                            ECDsaSecurityKey publicKey;
+
+                            // Since developers may have already worked around this issue, implicitly taking a dependency on the
+                            // old behavior, we guard the new behavior behind an AppContext switch. The new/RFC-conforming behavior
+                            // is treated as opt-in. When the library is at the point where it is able to make breaking changes
+                            // (such as the next major version update) we should consider whether or not this app-compat switch
+                            // needs to be maintained.
+                            if (AppContextSwitches.UseRfcDefinitionOfEpkAndKid)
+                            {
+                                // on decryption we get the public key from the EPK value see: https://datatracker.ietf.org/doc/html/rfc7518#appendix-C
+                                jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Epk, out string epk);
+                                publicKey = new ECDsaSecurityKey(new JsonWebKey(epk), false);
+                            }
+                            else
+                            {
+                                publicKey = validationParameters.TokenDecryptionKey as ECDsaSecurityKey;
+                            }
+
+                            var ecdhKeyExchangeProvider = new EcdhKeyExchangeProvider(
+                                key as ECDsaSecurityKey,
+                                publicKey,
+                                jwtToken.Alg,
+                                jwtToken.Enc);
+                            jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Apu, out string apu);
+                            jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Apv, out string apv);
+                            SecurityKey kdf = ecdhKeyExchangeProvider.GenerateKdf(apu, apv);
+                            var kwp = key.CryptoProviderFactory.CreateKeyWrapProviderForUnwrap(kdf, ecdhKeyExchangeProvider.GetEncryptionAlgorithm());
+                            var unwrappedKey = kwp.UnwrapKey(Base64UrlEncoder.DecodeBytes(jwtToken.EncryptedKey));
+                            unwrappedKeys.Add(new SymmetricSecurityKey(unwrappedKey));
                         }
                         else
+#endif
+                        if (key.CryptoProviderFactory.IsSupportedAlgorithm(jwtToken.Alg, key))
                         {
-                            publicKey = validationParameters.TokenDecryptionKey as ECDsaSecurityKey;
+                            var kwp = key.CryptoProviderFactory.CreateKeyWrapProviderForUnwrap(key, jwtToken.Alg);
+                            var unwrappedKey = kwp.UnwrapKey(jwtToken.EncryptedKeyBytes);
+                            unwrappedKeys.Add(new SymmetricSecurityKey(unwrappedKey));
                         }
-
-                        var ecdhKeyExchangeProvider = new EcdhKeyExchangeProvider(
-                            key as ECDsaSecurityKey,
-                            publicKey,
-                            jwtToken.Alg,
-                            jwtToken.Enc);
-                        jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Apu, out string apu);
-                        jwtToken.TryGetHeaderValue(JwtHeaderParameterNames.Apv, out string apv);
-                        SecurityKey kdf = ecdhKeyExchangeProvider.GenerateKdf(apu, apv);
-                        var kwp = key.CryptoProviderFactory.CreateKeyWrapProviderForUnwrap(kdf, ecdhKeyExchangeProvider.GetEncryptionAlgorithm());
-                        var unwrappedKey = kwp.UnwrapKey(Base64UrlEncoder.DecodeBytes(jwtToken.EncryptedKey));
-                        unwrappedKeys.Add(new SymmetricSecurityKey(unwrappedKey));
                     }
-                    else
-#endif
-                    if (key.CryptoProviderFactory.IsSupportedAlgorithm(jwtToken.Alg, key))
+                    catch (Exception ex)
                     {
-                        var kwp = key.CryptoProviderFactory.CreateKeyWrapProviderForUnwrap(key, jwtToken.Alg);
-                        var unwrappedKey = kwp.UnwrapKey(jwtToken.EncryptedKeyBytes);
-                        unwrappedKeys.Add(new SymmetricSecurityKey(unwrappedKey));
+                        (exceptionStrings ??= new StringBuilder()).AppendLine(ex.ToString());
                     }
-                }
-                catch (Exception ex)
-                {
-                    (exceptionStrings ??= new StringBuilder()).AppendLine(ex.ToString());
-                }
 
-                (keysAttempted ??= new StringBuilder()).AppendLine(key.KeyId);
+                    (keysAttempted ??= new StringBuilder()).AppendLine(key.KeyId);
+                }
             }
-
             if (unwrappedKeys.Count > 0 || exceptionStrings is null)
                 return unwrappedKeys;
             else

src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs

@@ -89,6 +89,7 @@ protected TokenValidationParameters(TokenValidationParameters other)
             TokenReplayCache = other.TokenReplayCache;
             TokenReplayValidator = other.TokenReplayValidator;
             TransformBeforeSignatureValidation = other.TransformBeforeSignatureValidation;
+            TryAllDecryptionKeys = other.TryAllDecryptionKeys;
             TryAllIssuerSigningKeys = other.TryAllIssuerSigningKeys;
             TypeValidator = other.TypeValidator;
             ValidateActor = other.ValidateActor;
@@ -118,6 +119,7 @@ public TokenValidationParameters()
             RequireSignedTokens = true;
             RequireAudience = true;
             SaveSigninToken = false;
+            TryAllDecryptionKeys = true;
             TryAllIssuerSigningKeys = true;
             ValidateActor = false;
             ValidateAudience = true;

src/Microsoft.IdentityModel.Tokens/Validation/ValidationParameters.cs

@@ -92,6 +92,7 @@ protected ValidationParameters(ValidationParameters other)
             SaveSigninToken = other.SaveSigninToken;
             _signatureValidator = other.SignatureValidator;
             TimeProvider = other.TimeProvider;
+            TryAllDecryptionKeys = other.TryAllDecryptionKeys;
             TokenDecryptionKeyResolver = other.TokenDecryptionKeyResolver;
             _tokenDecryptionKeys = other.TokenDecryptionKeys;
             TokenReplayCache = other.TokenReplayCache;
@@ -112,6 +113,7 @@ public ValidationParameters()
         {
             LogTokenId = true;
             SaveSigninToken = false;
+            TryAllDecryptionKeys = true;
             ValidateActor = false;
         }
 

test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs

@@ -672,7 +672,7 @@ public void GetEncryptionKeys(CreateTokenTheoryData theoryData)
                 var jwtTokenFromJsonHandlerWithKid = new JsonWebToken(jweFromJsonHandlerWithKid);
                 var encryptionKeysFromJsonHandlerWithKid = theoryData.JsonWebTokenHandler.GetContentEncryptionKeys(jwtTokenFromJsonHandlerWithKid, theoryData.ValidationParameters, theoryData.Configuration);
 
-                IdentityComparer.AreEqual(encryptionKeysFromJsonHandlerWithKid, theoryData.ExpectedDecryptionKeys);
+                Assert.True(IdentityComparer.AreEqual(encryptionKeysFromJsonHandlerWithKid, theoryData.ExpectedDecryptionKeys));
                 theoryData.ExpectedException.ProcessNoException(context);
             }
             catch (Exception ex)
@@ -696,15 +696,19 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
                 configurationWithDecryptionKeys.TokenDecryptionKeys.Add(KeyingMaterial.DefaultSymmetricSecurityKey_256);
                 configurationWithDecryptionKeys.TokenDecryptionKeys.Add(KeyingMaterial.DefaultSymmetricSecurityKey_512);
 
-                var configurationThatThrows = CreateCustomConfigurationThatThrows();
+                var rsaKey = new RsaSecurityKey(KeyingMaterial.RsaParameters_2048) { KeyId = "CustomRsaSecurityKey_2048" };
+                var configurationThatThrows = CreateCustomConfigurationThatThrows(rsaKey);
+
+                var configurationWithMismatchedKeys = new OpenIdConnectConfiguration();
+                configurationWithMismatchedKeys.TokenDecryptionKeys.Add(rsaKey);
 
                 tokenHandler.InboundClaimTypeMap.Clear();
                 return new TheoryData<CreateTokenTheoryData>
                 {
-                   new CreateTokenTheoryData
-                   {
+                    new CreateTokenTheoryData
+                    {
                         First = true,
-                        TestId = "EncryptionKeyInConfig",
+                        TestId = "ValidKeyInConfig_KeysSetInConfig",
                         Payload = Default.PayloadString,
                         TokenDescriptor =  new SecurityTokenDescriptor
                         {
@@ -720,10 +724,10 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
                         },
                         Configuration = configurationWithDecryptionKeys,
                         ExpectedDecryptionKeys =  new List<SecurityKey>(){ KeyingMaterial.DefaultSymmetricSecurityKey_256 },
-                   },
-                   new CreateTokenTheoryData
-                   {
-                        TestId = "ValidEncryptionKeyInConfig",
+                    },
+                    new CreateTokenTheoryData
+                    {
+                        TestId = "ValidKeyInConfig_KeysSetInConfigAndTvp",
                         Payload = Default.PayloadString,
                         TokenDescriptor =  new SecurityTokenDescriptor
                         {
@@ -740,10 +744,10 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
                         },
                         Configuration = configurationWithDecryptionKeys,
                         ExpectedDecryptionKeys =  new List<SecurityKey>(){ KeyingMaterial.DefaultSymmetricSecurityKey_256 },
-                   },
-                   new CreateTokenTheoryData
-                   {
-                        TestId = "Valid",
+                    },
+                    new CreateTokenTheoryData
+                    {
+                        TestId = "ValidKeyInTvp_KeysSetInTvp",
                         Payload = Default.PayloadString,
                         TokenDescriptor =  new SecurityTokenDescriptor
                         {
@@ -759,10 +763,10 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
                             ValidIssuer = Default.Issuer
                         },
                         ExpectedDecryptionKeys =  new List<SecurityKey>(){ KeyingMaterial.DefaultSymmetricSecurityKey_256 },
-                   },
-                   new CreateTokenTheoryData
-                   {
-                        TestId = "AlgorithmMismatch",
+                    },
+                    new CreateTokenTheoryData
+                    {
+                        TestId = "AlgorithmMismatch_ReturnsNoKeys",
                         Payload = Default.PayloadString,
                         // There is no error, just no decryption keys are returned.
                         ExpectedException = ExpectedException.NoExceptionExpected,
@@ -780,10 +784,10 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
                             ValidAudience = Default.Audience,
                             ValidIssuer = Default.Issuer
                         },
-                   },
-                   new CreateTokenTheoryData
-                   {
-                        TestId = "EncryptionKeyInConfig_OneKeysThrows_SuccessfulKeyReturned",
+                    },
+                    new CreateTokenTheoryData
+                    {
+                        TestId = "ValidKeyInConfig_OneKeyThrows_SuccessfulKeyReturned",
                         Payload = Default.PayloadString,
                         TokenDescriptor =  new SecurityTokenDescriptor
                         {
@@ -798,13 +802,53 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
                             ValidIssuer = Default.Issuer
                         },
                         Configuration = configurationThatThrows,
-                        ExpectedDecryptionKeys =  new List<SecurityKey>(){ KeyingMaterial.DefaultSymmetricSecurityKey_256 },
-                   }
+                        ExpectedDecryptionKeys =  new List<SecurityKey>(){ rsaKey },
+                    },
+                    new CreateTokenTheoryData
+                    {
+                        TestId = "KeyIdMismatch_TryAllDecryptionKeysTrue_ReturnsKey",
+                        Payload = Default.PayloadString,
+                        TokenDescriptor =  new SecurityTokenDescriptor
+                        {
+                            SigningCredentials = KeyingMaterial.JsonWebKeyRsa256SigningCredentials,
+                            EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes128CbcHmacSha256),
+                            Claims = Default.PayloadDictionary
+                        },
+                        ValidationParameters = new TokenValidationParameters
+                        {
+                            IssuerSigningKey = KeyingMaterial.JsonWebKeyRsa256SigningCredentials.Key,
+                            TryAllDecryptionKeys = true,
+                            ValidAudience = Default.Audience,
+                            ValidIssuer = Default.Issuer
+                        },
+                        Configuration = configurationWithMismatchedKeys,
+                        ExpectedDecryptionKeys =  new List<SecurityKey>(){ rsaKey },
+                    },
+                    new CreateTokenTheoryData
+                    {
+                        TestId = "KeyIdMismatch_TryAllDecryptionKeysFalse_ReturnsNoKeys",
+                        Payload = Default.PayloadString,
+                        TokenDescriptor =  new SecurityTokenDescriptor
+                        {
+                            SigningCredentials = KeyingMaterial.JsonWebKeyRsa256SigningCredentials,
+                            EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes128CbcHmacSha256),
+                            Claims = Default.PayloadDictionary
+                        },
+                        ValidationParameters = new TokenValidationParameters
+                        {
+                            IssuerSigningKey = KeyingMaterial.JsonWebKeyRsa256SigningCredentials.Key,
+                            TryAllDecryptionKeys = false,
+                            ValidAudience = Default.Audience,
+                            ValidIssuer = Default.Issuer
+                        },
+                        Configuration = configurationWithMismatchedKeys,
+                        ExpectedDecryptionKeys =  new List<SecurityKey>(),
+                    }
                 };
             }
         }
 
-        private static OpenIdConnectConfiguration CreateCustomConfigurationThatThrows()
+        private static OpenIdConnectConfiguration CreateCustomConfigurationThatThrows(SecurityKey rsaKey)
         {
             var customCryptoProviderFactory = new DerivedCryptoProviderFactory
             {
@@ -815,8 +859,6 @@ private static OpenIdConnectConfiguration CreateCustomConfigurationThatThrows()
             var sym512Hey = new SymmetricSecurityKey(KeyingMaterial.DefaultSymmetricKeyBytes_512) { KeyId = "CustomSymmetricSecurityKey_512" };
             sym512Hey.CryptoProviderFactory = customCryptoProviderFactory;
 
-            var rsaKey = new RsaSecurityKey(KeyingMaterial.RsaParameters_2048) { KeyId = "CustomRsaSecurityKey_2048" };
-
             var configurationWithCustomCryptoProviderFactory = new OpenIdConnectConfiguration();
             configurationWithCustomCryptoProviderFactory.TokenDecryptionKeys.Add(rsaKey);
             configurationWithCustomCryptoProviderFactory.TokenDecryptionKeys.Add(sym512Hey);