Compute dates in DefaultKeyResolver once (#60051)

martincostello · captainsafia · commit a64706087519 · 2025-02-11T12:58:34.000-08:00
Compute the maximum activation and creation `DateTImeOffset` for `DefaultKeyResolver` once before executing a LINQ query, rather than for each evaluation of `where`.
diff --git a/src/DataProtection/DataProtection/src/KeyManagement/DefaultKeyResolver.cs b/src/DataProtection/DataProtection/src/KeyManagement/DefaultKeyResolver.cs
@@ -157,8 +157,9 @@ private bool CanCreateAuthenticatedEncryptor(IKey key, ref int retriesRemaining)
         // fallback code below and the hypothetical advantage of making it easier for instances
         // to choose the same key in the event of a race (though we never managed to show that
         // empirically.  See also https://github.com/dotnet/aspnetcore/issues/57137.
+        var maxActivationDate = now + _maxServerToServerClockSkew;
         var preferredDefaultKey = (from key in allKeys
-                                   where key.ActivationDate <= now + _maxServerToServerClockSkew
+                                   where key.ActivationDate <= maxActivationDate
                                    orderby key.ActivationDate descending, key.KeyId ascending
                                    select key).FirstOrDefault();
 
@@ -192,13 +193,14 @@ private bool CanCreateAuthenticatedEncryptor(IKey key, ref int retriesRemaining)
         // Unlike for the preferred key, we don't choose a fallback key and then reject it if
         // CanCreateAuthenticatedEncryptor is false.  We want to end up with *some* key, so we
         // keep trying until we find one that works.
+        var maxCreationDate = now - _keyPropagationWindow;
         var unrevokedKeys = allKeys.Where(key => !key.IsRevoked);
         fallbackKey = (from key in (from key in unrevokedKeys
                                     where !ReferenceEquals(key, preferredDefaultKey) // Don't reconsider it as a fallback
-                                    where key.CreationDate <= now - _keyPropagationWindow
+                                    where key.CreationDate <= maxCreationDate
                                     orderby key.CreationDate descending
                                     select key).Concat(from key in unrevokedKeys
-                                                       where key.CreationDate > now - _keyPropagationWindow
+                                                       where key.CreationDate > maxCreationDate
                                                        orderby key.CreationDate ascending
                                                        select key)
                        where CanCreateAuthenticatedEncryptor(key, ref decryptRetriesRemaining)
