Skip to content

Return unwrapped keys if able #2812

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Sep 9, 2024
Merged

Return unwrapped keys if able #2812

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3a49d8d
Return unwrapped keys if able
Sep 5, 2024
b8a3ee3
Apply same fix to ValidationParameter path
Sep 6, 2024
a30f750
Adjust DecryptToken to throw early if no keys as well as null keys
Sep 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.CreateToken.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1422,7 +1422,7 @@ internal IEnumerable<SecurityKey> GetContentEncryptionKeys(JsonWebToken jwtToken
(keysAttempted ??= new StringBuilder()).AppendLine(key.ToString());
}

if (unwrappedKeys.Count > 0 && exceptionStrings is null)
if (unwrappedKeys.Count > 0 || exceptionStrings is null)
Copy link
Contributor

@brentschmaltz brentschmaltz Sep 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we care about exceptionStrings if we have found any possible keys?

return unwrappedKeys;
else
throw LogHelper.LogExceptionMessage(new SecurityTokenKeyWrapException(LogHelper.FormatInvariant(TokenLogMessages.IDX10618, (object)keysAttempted ?? "", (object)exceptionStrings ?? "", jwtToken)));
Expand Down
81 changes: 67 additions & 14 deletions test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -696,6 +696,8 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
configurationWithDecryptionKeys.TokenDecryptionKeys.Add(KeyingMaterial.DefaultSymmetricSecurityKey_256);
configurationWithDecryptionKeys.TokenDecryptionKeys.Add(KeyingMaterial.DefaultSymmetricSecurityKey_512);

var configurationThatThrows = CreateCustomConfigurationThatThrows();

tokenHandler.InboundClaimTypeMap.Clear();
return new TheoryData<CreateTokenTheoryData>
{
Expand All @@ -710,7 +712,6 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
EncryptingCredentials = KeyingMaterial.DefaultSymmetricEncryptingCreds_Aes128_Sha2,
Claims = Default.PayloadDictionary
},
JsonWebTokenHandler = new JsonWebTokenHandler(),
ValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = KeyingMaterial.JsonWebKeyRsa256SigningCredentials.Key,
Expand All @@ -719,8 +720,6 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
},
Configuration = configurationWithDecryptionKeys,
ExpectedDecryptionKeys = new List<SecurityKey>(){ KeyingMaterial.DefaultSymmetricSecurityKey_256 },
Algorithm = JwtConstants.DirectKeyUseAlg,
EncryptingCredentials = KeyingMaterial.DefaultSymmetricEncryptingCreds_Aes128_Sha2_NoKeyId
},
new CreateTokenTheoryData
{
Expand All @@ -732,7 +731,6 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
EncryptingCredentials = KeyingMaterial.DefaultSymmetricEncryptingCreds_Aes128_Sha2,
Claims = Default.PayloadDictionary
},
JsonWebTokenHandler = new JsonWebTokenHandler(),
ValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = KeyingMaterial.JsonWebKeyRsa256SigningCredentials.Key,
Expand All @@ -742,8 +740,6 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
},
Configuration = configurationWithDecryptionKeys,
ExpectedDecryptionKeys = new List<SecurityKey>(){ KeyingMaterial.DefaultSymmetricSecurityKey_256 },
Algorithm = JwtConstants.DirectKeyUseAlg,
EncryptingCredentials = KeyingMaterial.DefaultSymmetricEncryptingCreds_Aes128_Sha2_NoKeyId
},
new CreateTokenTheoryData
{
Expand All @@ -755,7 +751,6 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
EncryptingCredentials = KeyingMaterial.DefaultSymmetricEncryptingCreds_Aes128_Sha2,
Claims = Default.PayloadDictionary
},
JsonWebTokenHandler = new JsonWebTokenHandler(),
ValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = KeyingMaterial.JsonWebKeyRsa256SigningCredentials.Key,
Expand All @@ -764,35 +759,71 @@ public static TheoryData<CreateTokenTheoryData> SecurityTokenDecryptionTheoryDat
ValidIssuer = Default.Issuer
},
ExpectedDecryptionKeys = new List<SecurityKey>(){ KeyingMaterial.DefaultSymmetricSecurityKey_256 },
Algorithm = JwtConstants.DirectKeyUseAlg,
EncryptingCredentials = KeyingMaterial.DefaultSymmetricEncryptingCreds_Aes128_Sha2_NoKeyId
},
new CreateTokenTheoryData
{
TestId = "AlgorithmMisMatch",
TestId = "AlgorithmMismatch",
Payload = Default.PayloadString,
ExpectedException = ExpectedException.KeyWrapException("IDX10618:"),
// There is no error, just no decryption keys are returned.
ExpectedException = ExpectedException.NoExceptionExpected,
ExpectedDecryptionKeys = new List<SecurityKey>(),
TokenDescriptor = new SecurityTokenDescriptor
{
SigningCredentials = KeyingMaterial.JsonWebKeyRsa256SigningCredentials,
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.DefaultX509Key_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes128CbcHmacSha256),
Claims = Default.PayloadDictionary
},
JsonWebTokenHandler = new JsonWebTokenHandler(),
ValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = KeyingMaterial.JsonWebKeyRsa256SigningCredentials.Key,
TokenDecryptionKeys = new List<SecurityKey>(){ KeyingMaterial.DefaultSymmetricSecurityKey_256 },
ValidAudience = Default.Audience,
ValidIssuer = Default.Issuer
},
Algorithm = SecurityAlgorithms.Aes256CbcHmacSha512,
EncryptingCredentials = KeyingMaterial.DefaultSymmetricEncryptingCreds_Aes128_Sha2_NoKeyId
},
new CreateTokenTheoryData
{
TestId = "EncryptionKeyInConfig_OneKeysThrows_SuccessfulKeyReturned",
Payload = Default.PayloadString,
TokenDescriptor = new SecurityTokenDescriptor
{
SigningCredentials = KeyingMaterial.JsonWebKeyRsa256SigningCredentials,
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes128CbcHmacSha256),
Claims = Default.PayloadDictionary
},
ValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = KeyingMaterial.JsonWebKeyRsa256SigningCredentials.Key,
ValidAudience = Default.Audience,
ValidIssuer = Default.Issuer
},
Configuration = configurationThatThrows,
ExpectedDecryptionKeys = new List<SecurityKey>(){ KeyingMaterial.DefaultSymmetricSecurityKey_256 },
}
};
}
}

private static OpenIdConnectConfiguration CreateCustomConfigurationThatThrows()
{
var customCryptoProviderFactory = new DerivedCryptoProviderFactory
{
IsSupportedAlgImpl = (alg, key) => key.KeySize == 512,
CreateKeyWrapProviderForUnwrapImpl = (key, alg) => throw new InvalidOperationException("Test exception")
};

var sym512Hey = new SymmetricSecurityKey(KeyingMaterial.DefaultSymmetricKeyBytes_512) { KeyId = "CustomSymmetricSecurityKey_512" };
sym512Hey.CryptoProviderFactory = customCryptoProviderFactory;

var rsaKey = new RsaSecurityKey(KeyingMaterial.RsaParameters_2048) { KeyId = "CustomRsaSecurityKey_2048" };

var configurationWithCustomCryptoProviderFactory = new OpenIdConnectConfiguration();
configurationWithCustomCryptoProviderFactory.TokenDecryptionKeys.Add(rsaKey);
configurationWithCustomCryptoProviderFactory.TokenDecryptionKeys.Add(sym512Hey);

return configurationWithCustomCryptoProviderFactory;
}

// Tests checks to make sure that the token string (JWE) created by calling
// CreateToken(string payload, SigningCredentials signingCredentials, EncryptingCredentials encryptingCredentials)
// is equivalent to the token string created by calling CreateToken(SecurityTokenDescriptor tokenDescriptor).
Expand Down Expand Up @@ -4486,4 +4517,26 @@ protected override ClaimsIdentity CreateClaimsIdentity(JsonWebToken jwtToken, To
return base.CreateClaimsIdentity(jwtToken, validationParameters, issuer);
}
}

class DerivedCryptoProviderFactory : CryptoProviderFactory
{
internal Func<string, SecurityKey, bool> IsSupportedAlgImpl { get; set; }
internal Func<SecurityKey, string, KeyWrapProvider> CreateKeyWrapProviderForUnwrapImpl { get; set; }

public override bool IsSupportedAlgorithm(string algorithm, SecurityKey key)
{
if (IsSupportedAlgImpl != null)
return IsSupportedAlgImpl(algorithm, key);

return base.IsSupportedAlgorithm(algorithm, key);
}

public override KeyWrapProvider CreateKeyWrapProviderForUnwrap(SecurityKey key, string algorithm)
{
if (CreateKeyWrapProviderForUnwrapImpl != null)
return CreateKeyWrapProviderForUnwrapImpl(key, algorithm);

return base.CreateKeyWrapProviderForUnwrap(key, algorithm);
}
}
}