From c27cac977eea9a52731f22fa28972a70521d4821 Mon Sep 17 00:00:00 2001
From: Noah Stahl <7528994+NoahStahl@users.noreply.github.com>
Date: Mon, 2 Nov 2020 16:16:00 -0800
Subject: [PATCH] Add encryption key size validation
---
.../Resources/OpenIddictResources.resx | 4 +++
.../OpenIddictServerBuilder.cs | 8 +++++-
.../OpenIddictServerBuilderTests.cs | 28 ++++++++++++++++++-
3 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/src/OpenIddict.Abstractions/Resources/OpenIddictResources.resx b/src/OpenIddict.Abstractions/Resources/OpenIddictResources.resx
index c2ebc116..6b1b842c 100644
--- a/src/OpenIddict.Abstractions/Resources/OpenIddictResources.resx
+++ b/src/OpenIddict.Abstractions/Resources/OpenIddictResources.resx
@@ -1385,6 +1385,10 @@ To register the OpenIddict core services, reference the 'OpenIddict.Core' packag
The implicit flow must be enabled when adding a response type containing '{0}'.
{Locked}
+
+ Provided symmetric key was incorrect size. Expected {0} bits, received {1}.
+ {Locked}
+
The security token is missing.
diff --git a/src/OpenIddict.Server/OpenIddictServerBuilder.cs b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
index 6a6ff4be..3342af6b 100644
--- a/src/OpenIddict.Server/OpenIddictServerBuilder.cs
+++ b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
@@ -157,7 +157,8 @@ namespace Microsoft.Extensions.DependencyInjection
///
/// Registers an encryption key.
///
- /// The security key.
+ /// The security key.
+ ///
/// The .
public OpenIddictServerBuilder AddEncryptionKey(SecurityKey key)
{
@@ -175,6 +176,11 @@ namespace Microsoft.Extensions.DependencyInjection
if (key.IsSupportedAlgorithm(SecurityAlgorithms.Aes256KW))
{
+ if (key.KeySize != 256)
+ {
+ throw new InvalidOperationException(SR.FormatID0283(256, key.KeySize));
+ }
+
return AddEncryptionCredentials(new EncryptingCredentials(key,
SecurityAlgorithms.Aes256KW, SecurityAlgorithms.Aes256CbcHmacSha512));
}
diff --git a/test/OpenIddict.Server.Tests/OpenIddictServerBuilderTests.cs b/test/OpenIddict.Server.Tests/OpenIddictServerBuilderTests.cs
index 27d08474..e738efdc 100644
--- a/test/OpenIddict.Server.Tests/OpenIddictServerBuilderTests.cs
+++ b/test/OpenIddict.Server.Tests/OpenIddictServerBuilderTests.cs
@@ -170,7 +170,7 @@ namespace OpenIddict.Server.Tests
var services = CreateServices();
var builder = CreateBuilder(services);
- var key = Mock.Of(mock => mock.IsSupportedAlgorithm(SecurityAlgorithms.Aes256KW));
+ var key = Mock.Of(mock => mock.KeySize == 256 && mock.IsSupportedAlgorithm(SecurityAlgorithms.Aes256KW));
// Act
builder.AddEncryptionKey(key);
@@ -181,6 +181,32 @@ namespace OpenIddict.Server.Tests
Assert.Same(key, options.EncryptionCredentials[0].Key);
}
+ [Fact]
+ public void AddEncryptionKey_ThrowsExceptionWhenSymmetricKeyIsTooShort()
+ {
+ // Arrange
+ var services = CreateServices();
+ var builder = CreateBuilder(services);
+
+ // Act and assert
+ var key = Mock.Of(mock => mock.KeySize == 128 && mock.IsSupportedAlgorithm(SecurityAlgorithms.Aes256KW));
+ var exception = Assert.Throws(() => builder.AddEncryptionKey(key));
+ Assert.Equal(SR.FormatID0283(256, 128), exception.Message);
+ }
+
+ [Fact]
+ public void AddEncryptionKey_ThrowsExceptionWhenSymmetricKeyIsTooLong()
+ {
+ // Arrange
+ var services = CreateServices();
+ var builder = CreateBuilder(services);
+
+ // Act and assert
+ var key = Mock.Of(mock => mock.KeySize == 384 && mock.IsSupportedAlgorithm(SecurityAlgorithms.Aes256KW));
+ var exception = Assert.Throws(() => builder.AddEncryptionKey(key));
+ Assert.Equal(SR.FormatID0283(256, 384), exception.Message);
+ }
+
[Fact]
public void RemoveEventHandler_ThrowsAnExceptionWhenDescriptorIsNull()
{