Improve the EC curves comparison logic

5 years ago · 152de6e25c
2 changed files with 27 additions and 5 deletions
--- a/src/OpenIddict.Abstractions/OpenIddictResources.resx
+++ b/src/OpenIddict.Abstractions/OpenIddictResources.resx
@ -1506,6 +1506,12 @@ To register the OpenIddict core services, reference the 'OpenIddict.Core' packag
  <data name="ID4010" xml:space="preserve">
    <value>The token shouldn't be null or empty at this point.</value>
  </data>
  <data name="ID4011" xml:space="preserve">
    <value>EC-based keys shouldn't have a null OID.</value>
  </data>
  <data name="ID4012" xml:space="preserve">
    <value>EC-based keys should have a non-null OID raw value or friendly name.</value>
  </data>
  <data name="ID6000" xml:space="preserve">
    <value>An error occurred while validating the token '{Token}'.</value>
  </data>
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs
@ -1207,6 +1207,7 @@ namespace OpenIddict.Server
                            Debug.Assert(parameters.Value.Q.X is not null &&
                                         parameters.Value.Q.Y is not null, SR.GetResourceString(SR.ID4004));
                            Debug.Assert(parameters.Value.Curve.Oid is not null, SR.GetResourceString(SR.ID4011));
                            Debug.Assert(parameters.Value.Curve.IsNamed, SR.GetResourceString(SR.ID4005));
                            key.Kty = JsonWebAlgorithmsKeyTypes.EllipticCurve;
@ -1244,12 +1245,27 @@ namespace OpenIddict.Server
                    return default;
 #if SUPPORTS_ECDSA
-                    static bool IsCurve(ECParameters parameters, ECCurve curve) =>
+                    static bool IsCurve(ECParameters parameters, ECCurve curve)
                    {
                        Debug.Assert(parameters.Curve.Oid is not null, SR.GetResourceString(SR.ID4011));
                        Debug.Assert(curve.Oid is not null, SR.GetResourceString(SR.ID4011));
                        // Warning: on .NET Framework 4.x and .NET Core 2.1, exported ECParameters generally have
-                        // a null OID value attached. To work around this limitation, both the friendly names and
+                        // a null OID value attached. To work around this limitation, both the raw OID values and
-                        // the raw OID value are compared to determine whether the curve is of the specified type.
+                        // the friendly names are compared to determine whether the curve is of the specified type.
-                        string.Equals(parameters.Curve.Oid?.Value, curve.Oid?.Value, StringComparison.Ordinal) ||
+                        if (!string.IsNullOrEmpty(parameters.Curve.Oid.Value) && !string.IsNullOrEmpty(curve.Oid.Value))
-                        string.Equals(parameters.Curve.Oid?.FriendlyName, curve.Oid?.FriendlyName, StringComparison.Ordinal);
+                        {
                            return string.Equals(parameters.Curve.Oid.Value, curve.Oid.Value, StringComparison.Ordinal);
                        }
                        if (!string.IsNullOrEmpty(parameters.Curve.Oid.FriendlyName) && !string.IsNullOrEmpty(curve.Oid.FriendlyName))
                        {
                            return string.Equals(parameters.Curve.Oid.FriendlyName, curve.Oid.FriendlyName, StringComparison.Ordinal);
                        }
                        Debug.Fail(SR.GetResourceString(SR.ID4012));
                        return false;
                    }
 #endif
                    static byte[] GetCertificateHash(X509Certificate2 certificate, HashAlgorithmName algorithm)