Add tests for RsaOaepKeyWrap

Although RsaOeapKeyWrap identifier doesn't exist, we already released
and decided to support it.
That is the reason why we should keep RsaOaepKeyWrap tests around.

Author: GeoK

test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs

@@ -823,6 +823,14 @@ public static TheoryData<CreateTokenTheoryData> RoundTripJWEKeyWrappingTheoryDat
                         EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes128CbcHmacSha256)
                     },
                     new CreateTokenTheoryData()
+                    {
+                        TestId = "WrongRsaOaepKeyWrapIdentifier-Aes128CbcHmacSha256",
+                        ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
+                        Payload = Default.PayloadString,
+                        SigningCredentials = Default.SymmetricSigningCredentials,
+                        EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128CbcHmacSha256)
+                    },
+                    new CreateTokenTheoryData()
                     {
                         TestId = "RsaOaepKeyWrap-Aes192CbcHmacSha384",
                         ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
@@ -831,6 +839,14 @@ public static TheoryData<CreateTokenTheoryData> RoundTripJWEKeyWrappingTheoryDat
                         EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384)
                     },
                     new CreateTokenTheoryData()
+                    {
+                        TestId = "WrongRsaOaepKeyWrapIdentifier-Aes192CbcHmacSha384",
+                        ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
+                        Payload = Default.PayloadString,
+                        SigningCredentials = Default.SymmetricSigningCredentials,
+                        EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384)
+                    },
+                    new CreateTokenTheoryData()
                     {
                         TestId = "RsaOaepKeyWrap-Aes256CbcHmacSha512",
                         ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
@@ -839,6 +855,14 @@ public static TheoryData<CreateTokenTheoryData> RoundTripJWEKeyWrappingTheoryDat
                         EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes256CbcHmacSha512)
                     },
                     new CreateTokenTheoryData()
+                    {
+                        TestId = "WrongRsaOaepKeyWrapIdentifier-Aes256CbcHmacSha512",
+                        ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
+                        Payload = Default.PayloadString,
+                        SigningCredentials = Default.SymmetricSigningCredentials,
+                        EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes256CbcHmacSha512)
+                    },
+                    new CreateTokenTheoryData()
                     {
                         TestId = "SymmetricSecurityKey2_128-Aes128KW-Aes128CbcHmacSha256",
                         ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.SymmetricSecurityKey2_128, Default.SymmetricSigningKey256),
@@ -861,6 +885,14 @@ public static TheoryData<CreateTokenTheoryData> RoundTripJWEKeyWrappingTheoryDat
                         Payload = Default.PayloadString,
                         SigningCredentials = Default.SymmetricSigningCredentials,
                         EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384)
+                    },
+                     new CreateTokenTheoryData()
+                    {
+                        TestId = "WrongRsaOaepKeyWrapIdentifier-Aes192CbcHmacSha384",
+                        ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
+                        Payload = Default.PayloadString,
+                        SigningCredentials = Default.SymmetricSigningCredentials,
+                        EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384)
                     }
                 };
             }

test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTokenHandlerTests.cs

@@ -1713,6 +1713,9 @@ public static TheoryData<Saml2TheoryData> RoundTripEncryptedTokenTheoryData
                 var encryptingCredentials_KeyWrap_128_RSAOAEP = new X509EncryptingCredentials(cert, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes128Gcm);
                 var encryptingCredentials_KeyWrap_192_RSAOAEP = new X509EncryptingCredentials(cert, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes192Gcm);
                 var encryptingCredentials_KeyWrap_256_RSAOAEP = new X509EncryptingCredentials(cert, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes256Gcm);
+                var encryptingCredentials_KeyWrap_128_Wrong_RSAOAEP_Identifier = new X509EncryptingCredentials(cert, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128Gcm);
+                var encryptingCredentials_KeyWrap_192_Wrong_RSAOAEP_Identifier = new X509EncryptingCredentials(cert, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes192Gcm);
+                var encryptingCredentials_KeyWrap_256_Wrong_RSAOAEP_Identifier = new X509EncryptingCredentials(cert, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes256Gcm);
 
                 //SET HELPER CRYPTO PROVIDER FACTORY - remove when AES-GCM is released and supported
                 encryptingCredentials128_PreShared.CryptoProviderFactory = new AesGcmProviderFactory();
@@ -1721,6 +1724,9 @@ public static TheoryData<Saml2TheoryData> RoundTripEncryptedTokenTheoryData
                 encryptingCredentials_KeyWrap_128_RSAOAEP.CryptoProviderFactory = new AesGcmProviderFactory();
                 encryptingCredentials_KeyWrap_192_RSAOAEP.CryptoProviderFactory = new AesGcmProviderFactory();
                 encryptingCredentials_KeyWrap_256_RSAOAEP.CryptoProviderFactory = new AesGcmProviderFactory();
+                encryptingCredentials_KeyWrap_128_Wrong_RSAOAEP_Identifier.CryptoProviderFactory = new AesGcmProviderFactory();
+                encryptingCredentials_KeyWrap_192_Wrong_RSAOAEP_Identifier.CryptoProviderFactory = new AesGcmProviderFactory();
+                encryptingCredentials_KeyWrap_256_Wrong_RSAOAEP_Identifier.CryptoProviderFactory = new AesGcmProviderFactory();
 
                 // token descriptors (Pre_Shared for one scenario and KeyWrap for another one)
                 var tokenDescriptor_128_PreShared = CreateTokenDescriptor(signingCredentials, encryptingCredentials128_PreShared);
@@ -1729,6 +1735,9 @@ public static TheoryData<Saml2TheoryData> RoundTripEncryptedTokenTheoryData
                 var tokenDescriptor_KeyWrap_128_RSAOAEP = CreateTokenDescriptor(signingCredentials, encryptingCredentials_KeyWrap_128_RSAOAEP);
                 var tokenDescriptor_KeyWrap_192_RSAOAEP = CreateTokenDescriptor(signingCredentials, encryptingCredentials_KeyWrap_192_RSAOAEP);
                 var tokenDescriptor_KeyWrap_256_RSAOAEP = CreateTokenDescriptor(signingCredentials, encryptingCredentials_KeyWrap_256_RSAOAEP);
+                var tokenDescriptor_KeyWrap_128_Wrong_RSAOAEP_Identifier = CreateTokenDescriptor(signingCredentials, encryptingCredentials_KeyWrap_128_Wrong_RSAOAEP_Identifier);
+                var tokenDescriptor_KeyWrap_192_Wrong_RSAOAEP_Identifier = CreateTokenDescriptor(signingCredentials, encryptingCredentials_KeyWrap_192_Wrong_RSAOAEP_Identifier);
+                var tokenDescriptor_KeyWrap_256_Wrong_RSAOAEP_Identifier = CreateTokenDescriptor(signingCredentials, encryptingCredentials_KeyWrap_256_Wrong_RSAOAEP_Identifier);
 
                 var tokenDescriptor_KeyWrap_Signed = new SecurityTokenDescriptor
                 {
@@ -1794,6 +1803,30 @@ public static TheoryData<Saml2TheoryData> RoundTripEncryptedTokenTheoryData
                     TestId = nameof(tokenDescriptor_KeyWrap_256_RSAOAEP),
                 });
 
+                theoryData.Add(new Saml2TheoryData
+                {
+                    SecurityToken = tokenHandler.CreateToken(tokenDescriptor_KeyWrap_128_Wrong_RSAOAEP_Identifier) as Saml2SecurityToken,
+                    ValidationParameters = CreateTokenValidationParameters(signingKey, KeyingMaterial.DefaultX509Key_2048_With_KeyId),
+                    ExpectedException = ExpectedException.NoExceptionExpected,
+                    TestId = nameof(tokenDescriptor_KeyWrap_128_Wrong_RSAOAEP_Identifier),
+                });
+
+                theoryData.Add(new Saml2TheoryData
+                {
+                    SecurityToken = tokenHandler.CreateToken(tokenDescriptor_KeyWrap_192_Wrong_RSAOAEP_Identifier) as Saml2SecurityToken,
+                    ValidationParameters = CreateTokenValidationParameters(signingKey, KeyingMaterial.DefaultX509Key_2048_With_KeyId),
+                    ExpectedException = ExpectedException.NoExceptionExpected,
+                    TestId = nameof(tokenDescriptor_KeyWrap_192_Wrong_RSAOAEP_Identifier),
+                });
+
+                theoryData.Add(new Saml2TheoryData
+                {
+                    SecurityToken = tokenHandler.CreateToken(tokenDescriptor_KeyWrap_256_Wrong_RSAOAEP_Identifier) as Saml2SecurityToken,
+                    ValidationParameters = CreateTokenValidationParameters(signingKey, KeyingMaterial.DefaultX509Key_2048_With_KeyId),
+                    ExpectedException = ExpectedException.NoExceptionExpected,
+                    TestId = nameof(tokenDescriptor_KeyWrap_256_Wrong_RSAOAEP_Identifier),
+                });
+
                 return theoryData;
             }
         }

test/Microsoft.IdentityModel.Tokens.Tests/EncryptingCredentialsTests.cs

@@ -124,6 +124,13 @@ public static TheoryData<EncryptingCredentialsTheoryData> ConstructorATheoryData
                     Alg = SecurityAlgorithms.RsaOaepMgf1pKeyWrap,
                     Enc = SecurityAlgorithms.Aes128CbcHmacSha256,
                     TestId = "ValidTest"
+                },
+                new EncryptingCredentialsTheoryData
+                {
+                    Key = Default.AsymmetricEncryptionKeyPublic,
+                    Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+                    Enc = SecurityAlgorithms.Aes128CbcHmacSha256,
+                    TestId = "ValidTest_WrongRsaOaepKeyWrapIdentifier"
                 }
             };
         }

test/System.IdentityModel.Tokens.Jwt.Tests/CreateAndValidateTokens.cs

@@ -801,6 +801,14 @@ public static TheoryData<string, SecurityTokenDescriptor, TokenValidationParamet
                 ExpectedException.NoExceptionExpected
             );
 
+            encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128CbcHmacSha256);
+            theoryData.Add(
+                "WrongRsaOaepKeyWrapIdentifier-Aes128CbcHmacSha256",
+                Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
+                Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
+                ExpectedException.NoExceptionExpected
+            );
+
             encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384);
             theoryData.Add(
                 "RsaOaepKeyWrap-Aes192CbcHmacSha384",
@@ -809,6 +817,14 @@ public static TheoryData<string, SecurityTokenDescriptor, TokenValidationParamet
                 ExpectedException.NoExceptionExpected
             );
 
+            encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384);
+            theoryData.Add(
+                "WrongRsaOaepKeyWrapIdentifier-Aes192CbcHmacSha384",
+                Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
+                Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
+                ExpectedException.NoExceptionExpected
+            );
+
             encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepMgf1pKeyWrap, SecurityAlgorithms.Aes256CbcHmacSha512);
             theoryData.Add(
                 "RsaOaepKeyWrap-Aes256CbcHmacSha512",
@@ -817,6 +833,14 @@ public static TheoryData<string, SecurityTokenDescriptor, TokenValidationParamet
                 ExpectedException.NoExceptionExpected
             );
 
+            encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes256CbcHmacSha512);
+            theoryData.Add(
+                "WrongRsaOaepKeyWrapIdentifier-Aes256CbcHmacSha512",
+                Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
+                Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
+                ExpectedException.NoExceptionExpected
+            );
+
             // signing key not found
             theoryData.Add(
                 "SigningKey-Not-Found",
@@ -866,6 +890,14 @@ public static TheoryData<string, SecurityTokenDescriptor, TokenValidationParamet
                 ExpectedException.NoExceptionExpected
             );
 
+            encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes192CbcHmacSha384);
+            theoryData.Add(
+                "WrongRsaOaepKeyWrapIdentifier-Aes192CbcHmacSha384",
+                Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
+                Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
+                ExpectedException.NoExceptionExpected
+            );
+
             return theoryData;
         }