Skip to content

Commit 0b0abbf

Browse files
GeoKGeoK
committed
Add tests for RsaOaepKeyWrap
Although RsaOeapKeyWrap identifier doesn't exist, we already released and decided to support it. That is the reason why we should keep RsaOaepKeyWrap tests around.
1 parent c8e9d09 commit 0b0abbf

File tree

4 files changed

+104
-0
lines changed

4 files changed

+104
-0
lines changed

test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs

+32
Original file line numberDiff line numberDiff line change
@@ -417,6 +417,14 @@ public static TheoryData<CreateTokenTheoryData> RoundTripJWEKeyWrappingTheoryDat
417417
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes128CbcHmacSha256)
418418
},
419419
new CreateTokenTheoryData()
420+
{
421+
TestId = "WrongRsaOaepKeyWrapIdentifier-Aes128CbcHmacSha256",
422+
ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
423+
Payload = Default.PayloadString,
424+
SigningCredentials = Default.SymmetricSigningCredentials,
425+
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128CbcHmacSha256)
426+
},
427+
new CreateTokenTheoryData()
420428
{
421429
TestId = "RsaOaepKeyWrap-Aes192CbcHmacSha384",
422430
ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
@@ -425,6 +433,14 @@ public static TheoryData<CreateTokenTheoryData> RoundTripJWEKeyWrappingTheoryDat
425433
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384)
426434
},
427435
new CreateTokenTheoryData()
436+
{
437+
TestId = "WrongRsaOaepKeyWrapIdentifier-Aes192CbcHmacSha384",
438+
ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
439+
Payload = Default.PayloadString,
440+
SigningCredentials = Default.SymmetricSigningCredentials,
441+
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384)
442+
},
443+
new CreateTokenTheoryData()
428444
{
429445
TestId = "RsaOaepKeyWrap-Aes256CbcHmacSha512",
430446
ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
@@ -433,6 +449,14 @@ public static TheoryData<CreateTokenTheoryData> RoundTripJWEKeyWrappingTheoryDat
433449
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes256CbcHmacSha512)
434450
},
435451
new CreateTokenTheoryData()
452+
{
453+
TestId = "WrongRsaOaepKeyWrapIdentifier-Aes256CbcHmacSha512",
454+
ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
455+
Payload = Default.PayloadString,
456+
SigningCredentials = Default.SymmetricSigningCredentials,
457+
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes256CbcHmacSha512)
458+
},
459+
new CreateTokenTheoryData()
436460
{
437461
TestId = "SymmetricSecurityKey2_128-Aes128KW-Aes128CbcHmacSha256",
438462
ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.SymmetricSecurityKey2_128, Default.SymmetricSigningKey256),
@@ -455,6 +479,14 @@ public static TheoryData<CreateTokenTheoryData> RoundTripJWEKeyWrappingTheoryDat
455479
Payload = Default.PayloadString,
456480
SigningCredentials = Default.SymmetricSigningCredentials,
457481
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384)
482+
},
483+
new CreateTokenTheoryData()
484+
{
485+
TestId = "WrongRsaOaepKeyWrapIdentifier-Aes192CbcHmacSha384",
486+
ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
487+
Payload = Default.PayloadString,
488+
SigningCredentials = Default.SymmetricSigningCredentials,
489+
EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384)
458490
}
459491
};
460492
}

test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.cs

+33
Original file line numberDiff line numberDiff line change
@@ -1701,6 +1701,9 @@ public static TheoryData<Saml2TheoryData> RoundTripEncryptedTokenTheoryData
17011701
var encryptingCredentials_KeyWrap_128_RSAOAEP = new X509EncryptingCredentials(cert, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes128Gcm);
17021702
var encryptingCredentials_KeyWrap_192_RSAOAEP = new X509EncryptingCredentials(cert, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes192Gcm);
17031703
var encryptingCredentials_KeyWrap_256_RSAOAEP = new X509EncryptingCredentials(cert, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes256Gcm);
1704+
var encryptingCredentials_KeyWrap_128_Wrong_RSAOAEP_Identifier = new X509EncryptingCredentials(cert, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128Gcm);
1705+
var encryptingCredentials_KeyWrap_192_Wrong_RSAOAEP_Identifier = new X509EncryptingCredentials(cert, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes192Gcm);
1706+
var encryptingCredentials_KeyWrap_256_Wrong_RSAOAEP_Identifier = new X509EncryptingCredentials(cert, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes256Gcm);
17041707

17051708
//SET HELPER CRYPTO PROVIDER FACTORY - remove when AES-GCM is released and supported
17061709
encryptingCredentials128_PreShared.CryptoProviderFactory = new AesGcmProviderFactory();
@@ -1709,6 +1712,9 @@ public static TheoryData<Saml2TheoryData> RoundTripEncryptedTokenTheoryData
17091712
encryptingCredentials_KeyWrap_128_RSAOAEP.CryptoProviderFactory = new AesGcmProviderFactory();
17101713
encryptingCredentials_KeyWrap_192_RSAOAEP.CryptoProviderFactory = new AesGcmProviderFactory();
17111714
encryptingCredentials_KeyWrap_256_RSAOAEP.CryptoProviderFactory = new AesGcmProviderFactory();
1715+
encryptingCredentials_KeyWrap_128_Wrong_RSAOAEP_Identifier.CryptoProviderFactory = new AesGcmProviderFactory();
1716+
encryptingCredentials_KeyWrap_192_Wrong_RSAOAEP_Identifier.CryptoProviderFactory = new AesGcmProviderFactory();
1717+
encryptingCredentials_KeyWrap_256_Wrong_RSAOAEP_Identifier.CryptoProviderFactory = new AesGcmProviderFactory();
17121718

17131719
// token descriptors (Pre_Shared for one scenario and KeyWrap for another one)
17141720
var tokenDescriptor_128_PreShared = CreateTokenDescriptor(signingCredentials, encryptingCredentials128_PreShared);
@@ -1717,6 +1723,9 @@ public static TheoryData<Saml2TheoryData> RoundTripEncryptedTokenTheoryData
17171723
var tokenDescriptor_KeyWrap_128_RSAOAEP = CreateTokenDescriptor(signingCredentials, encryptingCredentials_KeyWrap_128_RSAOAEP);
17181724
var tokenDescriptor_KeyWrap_192_RSAOAEP = CreateTokenDescriptor(signingCredentials, encryptingCredentials_KeyWrap_192_RSAOAEP);
17191725
var tokenDescriptor_KeyWrap_256_RSAOAEP = CreateTokenDescriptor(signingCredentials, encryptingCredentials_KeyWrap_256_RSAOAEP);
1726+
var tokenDescriptor_KeyWrap_128_Wrong_RSAOAEP_Identifier = CreateTokenDescriptor(signingCredentials, encryptingCredentials_KeyWrap_128_Wrong_RSAOAEP_Identifier);
1727+
var tokenDescriptor_KeyWrap_192_Wrong_RSAOAEP_Identifier = CreateTokenDescriptor(signingCredentials, encryptingCredentials_KeyWrap_192_Wrong_RSAOAEP_Identifier);
1728+
var tokenDescriptor_KeyWrap_256_Wrong_RSAOAEP_Identifier = CreateTokenDescriptor(signingCredentials, encryptingCredentials_KeyWrap_256_Wrong_RSAOAEP_Identifier);
17201729

17211730
var tokenDescriptor_KeyWrap_Signed = new SecurityTokenDescriptor
17221731
{
@@ -1782,6 +1791,30 @@ public static TheoryData<Saml2TheoryData> RoundTripEncryptedTokenTheoryData
17821791
TestId = nameof(tokenDescriptor_KeyWrap_256_RSAOAEP),
17831792
});
17841793

1794+
theoryData.Add(new Saml2TheoryData
1795+
{
1796+
SecurityToken = tokenHandler.CreateToken(tokenDescriptor_KeyWrap_128_Wrong_RSAOAEP_Identifier) as Saml2SecurityToken,
1797+
ValidationParameters = CreateTokenValidationParameters(signingKey, KeyingMaterial.DefaultX509Key_2048_With_KeyId),
1798+
ExpectedException = ExpectedException.NoExceptionExpected,
1799+
TestId = nameof(tokenDescriptor_KeyWrap_128_Wrong_RSAOAEP_Identifier),
1800+
});
1801+
1802+
theoryData.Add(new Saml2TheoryData
1803+
{
1804+
SecurityToken = tokenHandler.CreateToken(tokenDescriptor_KeyWrap_192_Wrong_RSAOAEP_Identifier) as Saml2SecurityToken,
1805+
ValidationParameters = CreateTokenValidationParameters(signingKey, KeyingMaterial.DefaultX509Key_2048_With_KeyId),
1806+
ExpectedException = ExpectedException.NoExceptionExpected,
1807+
TestId = nameof(tokenDescriptor_KeyWrap_192_Wrong_RSAOAEP_Identifier),
1808+
});
1809+
1810+
theoryData.Add(new Saml2TheoryData
1811+
{
1812+
SecurityToken = tokenHandler.CreateToken(tokenDescriptor_KeyWrap_256_Wrong_RSAOAEP_Identifier) as Saml2SecurityToken,
1813+
ValidationParameters = CreateTokenValidationParameters(signingKey, KeyingMaterial.DefaultX509Key_2048_With_KeyId),
1814+
ExpectedException = ExpectedException.NoExceptionExpected,
1815+
TestId = nameof(tokenDescriptor_KeyWrap_256_Wrong_RSAOAEP_Identifier),
1816+
});
1817+
17851818
return theoryData;
17861819
}
17871820
}

test/Microsoft.IdentityModel.Tokens.Tests/EncryptingCredentialsTests.cs

+7
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,13 @@ public static TheoryData<EncryptingCredentialsTheoryData> ConstructorATheoryData
124124
Alg = SecurityAlgorithms.RsaOaepMgf1pKeyWrap,
125125
Enc = SecurityAlgorithms.Aes128CbcHmacSha256,
126126
TestId = "ValidTest"
127+
},
128+
new EncryptingCredentialsTheoryData
129+
{
130+
Key = Default.AsymmetricEncryptionKeyPublic,
131+
Alg = SecurityAlgorithms.RsaOaepKeyWrap,
132+
Enc = SecurityAlgorithms.Aes128CbcHmacSha256,
133+
TestId = "ValidTest_WrongRsaOaepKeyWrapIdentifier"
127134
}
128135
};
129136
}

test/System.IdentityModel.Tokens.Jwt.Tests/CreateAndValidateTokens.cs

+32
Original file line numberDiff line numberDiff line change
@@ -801,6 +801,14 @@ public static TheoryData<string, SecurityTokenDescriptor, TokenValidationParamet
801801
ExpectedException.NoExceptionExpected
802802
);
803803

804+
encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128CbcHmacSha256);
805+
theoryData.Add(
806+
"WrongRsaOaepKeyWrapIdentifier-Aes128CbcHmacSha256",
807+
Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
808+
Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
809+
ExpectedException.NoExceptionExpected
810+
);
811+
804812
encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384);
805813
theoryData.Add(
806814
"RsaOaepKeyWrap-Aes192CbcHmacSha384",
@@ -809,6 +817,14 @@ public static TheoryData<string, SecurityTokenDescriptor, TokenValidationParamet
809817
ExpectedException.NoExceptionExpected
810818
);
811819

820+
encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384);
821+
theoryData.Add(
822+
"WrongRsaOaepKeyWrapIdentifier-Aes192CbcHmacSha384",
823+
Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
824+
Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
825+
ExpectedException.NoExceptionExpected
826+
);
827+
812828
encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes256CbcHmacSha512);
813829
theoryData.Add(
814830
"RsaOaepKeyWrap-Aes256CbcHmacSha512",
@@ -817,6 +833,14 @@ public static TheoryData<string, SecurityTokenDescriptor, TokenValidationParamet
817833
ExpectedException.NoExceptionExpected
818834
);
819835

836+
encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes256CbcHmacSha512);
837+
theoryData.Add(
838+
"WrongRsaOaepKeyWrapIdentifier-Aes256CbcHmacSha512",
839+
Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
840+
Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
841+
ExpectedException.NoExceptionExpected
842+
);
843+
820844
// signing key not found
821845
theoryData.Add(
822846
"SigningKey-Not-Found",
@@ -866,6 +890,14 @@ public static TheoryData<string, SecurityTokenDescriptor, TokenValidationParamet
866890
ExpectedException.NoExceptionExpected
867891
);
868892

893+
encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384);
894+
theoryData.Add(
895+
"WrongRsaOaepKeyWrapIdentifier-Aes192CbcHmacSha384",
896+
Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
897+
Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
898+
ExpectedException.NoExceptionExpected
899+
);
900+
869901
return theoryData;
870902
}
871903

0 commit comments

Comments
 (0)