AzureAD · kllysng · Jun 18, 2024 · Jun 18, 2024 · Jun 18, 2024 · Jun 18, 2024
@@ -33,7 +33,6 @@ private struct AuthenticatedKeys
         private DecryptionDelegate DecryptFunction;
         private EncryptionDelegate EncryptFunction;
         private const string _className = "Microsoft.IdentityModel.Tokens.AuthenticatedEncryptionProvider";
-        internal const string _skipValidationOfAuthenticationTagLength = "Switch.Microsoft.IdentityModel.SkipAuthenticationTagLengthValidation"; 
 
         /// <summary>
         /// Initializes a new instance of the <see cref="AuthenticatedEncryptionProvider"/> class used for encryption and decryption.
@@ -167,8 +166,7 @@ private AuthenticatedEncryptionResult EncryptWithAesCbc(byte[] plaintext, byte[]
         private byte[] DecryptWithAesCbc(byte[] ciphertext, byte[] authenticatedData, byte[] iv, byte[] authenticationTag)
         {
             // Verify authentication Tag
-            if (ShouldValidateAuthenticationTagLength()
-                && SymmetricSignatureProvider.ExpectedSignatureSizeInBytes.TryGetValue(Algorithm, out int expectedTagLength)
+            if (SymmetricSignatureProvider.ExpectedSignatureSizeInBytes.TryGetValue(Algorithm, out int expectedTagLength)
                 && expectedTagLength != authenticationTag.Length)
                 throw LogHelper.LogExceptionMessage(new SecurityTokenDecryptionFailedException(
                     LogHelper.FormatInvariant(LogMessages.IDX10625, authenticationTag.Length, expectedTagLength, Base64UrlEncoder.Encode(authenticationTag), Algorithm)));
@@ -197,11 +195,6 @@ private byte[] DecryptWithAesCbc(byte[] ciphertext, byte[] authenticatedData, by
             }
         }
 
-        private static bool ShouldValidateAuthenticationTagLength()
-        {
-            return !(AppContext.TryGetSwitch(_skipValidationOfAuthenticationTagLength, out bool skipValidation) && skipValidation);
-        }
-
         private AuthenticatedKeys CreateAuthenticatedKeys()
         {
             ValidateKeySize(Key, Algorithm);

@@ -136,7 +136,7 @@ internal static class LogMessages
         // public const string IDX10622 = "IDX10622:";
         // public const string IDX10623 = "IDX10623:";
         // public const string IDX10624 = "IDX10624:";
-        public const string IDX10625 = "IDX10625: Failed to verify the authenticationTag length, the actual tag length '{0}' does not match the expected tag length '{1}'. authenticationTag: '{2}', algorithm: '{3}' See: https://aka.ms/IdentityModel/SkipAuthenticationTagLengthValidation";
+        public const string IDX10625 = "IDX10625: Failed to verify the authenticationTag length, the actual tag length '{0}' does not match the expected tag length '{1}'. authenticationTag: '{2}', algorithm: '{3}'.";
         // public const string IDX10627 = "IDX10627:";
         public const string IDX10628 = "IDX10628: Cannot set the MinimumSymmetricKeySizeInBits to less than '{0}'.";
         public const string IDX10630 = "IDX10630: The '{0}' for signing cannot be smaller than '{1}' bits. KeySize: '{2}'.";

@@ -11,8 +11,6 @@ namespace Microsoft.IdentityModel.Tokens
     /// </summary>
     public class X509EncryptingCredentials : EncryptingCredentials
     {
-        internal const string _useShortNameForRsaOaepKey = "Switch.Microsoft.IdentityModel.UseShortNameForRsaOaepKey";
-
         /// <summary>
         /// Designed to construct <see cref="EncryptingCredentials"/> based on a x509 certificate.
         /// </summary>
@@ -23,7 +21,7 @@ public class X509EncryptingCredentials : EncryptingCredentials
         /// </remarks>
         /// <exception cref="ArgumentNullException">if 'certificate' is null.</exception>
         public X509EncryptingCredentials(X509Certificate2 certificate)
-            : this(certificate, GetEncryptionAlgorithm(), SecurityAlgorithms.DefaultSymmetricEncryptionAlgorithm)
+            : this(certificate, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.DefaultSymmetricEncryptionAlgorithm)
         {
         }
 
@@ -50,15 +48,5 @@ public X509Certificate2 Certificate
             get;
             private set;
         }
-
-        private static string GetEncryptionAlgorithm()
-        {
-            return ShouldUseShortNameForRsaOaepKey() ? SecurityAlgorithms.RsaOAEP : SecurityAlgorithms.DefaultAsymmetricKeyWrapAlgorithm;
-        }
-
-        private static bool ShouldUseShortNameForRsaOaepKey()
-        {
-            return AppContext.TryGetSwitch(_useShortNameForRsaOaepKey, out var useKeyWrap) && useKeyWrap;
-        }
     }
 }
@@ -4190,10 +4190,9 @@ public static TheoryData<CreateTokenTheoryData> IncludeSecurityTokenOnFailureTes
         }
 
         [Theory, MemberData(nameof(ValidateAuthenticationTagLengthTheoryData))]
-        public void ValidateTokenAsync_ModifiedAuthNTag(CreateTokenTheoryData theoryData)
+        public async Task ValidateTokenAsync_ModifiedAuthNTag(CreateTokenTheoryData theoryData)
         {
             // arrange
-            AppContext.SetSwitch(AuthenticatedEncryptionProvider._skipValidationOfAuthenticationTagLength, theoryData.EnableAppContextSwitch);
             var payload = new JObject()
             {
                 { JwtRegisteredClaimNames.Email, "Bob@contoso.com" },
@@ -4217,9 +4216,7 @@ public void ValidateTokenAsync_ModifiedAuthNTag(CreateTokenTheoryData theoryData
             var jweWithExtraCharacters = jwe + "_cannoli_hunts_truffles_";
 
             // act
-            // calling ValidateTokenAsync.Result to prevent tests from sharing app context switch property
-            // normally, we would want to await ValidateTokenAsync().ConfigureAwait(false)
-            var tokenValidationResult = jsonWebTokenHandler.ValidateTokenAsync(jweWithExtraCharacters, theoryData.ValidationParameters).Result;
+            var tokenValidationResult = await jsonWebTokenHandler.ValidateTokenAsync(jweWithExtraCharacters, theoryData.ValidationParameters).ConfigureAwait(false);
 
             // assert
             Assert.Equal(theoryData.IsValid, tokenValidationResult.IsValid);
@@ -4281,47 +4278,6 @@ public static TheoryData<CreateTokenTheoryData> ValidateAuthenticationTagLengthT
                         ValidIssuer = "http://Default.Issuer.com",
                     },
                     IsValid = false
-                },
-                new("A128CBC-HS256_SkipTagLengthValidationAppContextSwitchOn_IsValid")
-                {
-                    EnableAppContextSwitch = true,
-                    Algorithm = SecurityAlgorithms.Aes128CbcHmacSha256,
-                    EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes128CbcHmacSha256),
-                    ValidationParameters = new TokenValidationParameters
-                    {
-                        TokenDecryptionKey = KeyingMaterial.JsonWebKeyRsa256SigningCredentials.Key,
-                        IssuerSigningKey = Default.SymmetricSigningKey256,
-                        ValidAudience = "http://Default.Audience.com",
-                        ValidIssuer = "http://Default.Issuer.com",
-                    },
-                    IsValid = true
-                },
-                new("A192CBC-HS384_SkipTagLengthValidationAppContextSwitchOn_IsValid")
-                {
-                    EnableAppContextSwitch = true,
-                    Algorithm = SecurityAlgorithms.Aes192CbcHmacSha384,
-                    EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes192CbcHmacSha384),
-                    ValidationParameters = new TokenValidationParameters
-                    {
-                        TokenDecryptionKey = KeyingMaterial.JsonWebKeyRsa256SigningCredentials.Key,
-                        IssuerSigningKey = Default.SymmetricSigningKey256,
-                        ValidAudience = "http://Default.Audience.com",
-                        ValidIssuer = "http://Default.Issuer.com",
-                    },
-                    IsValid = true
-                },
-                new("A256CBC-HS512_SkipTagLengthValidationAppContextSwitchOn_IsValid")
-                {
-                    EnableAppContextSwitch = true,
-                    EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes256CbcHmacSha512),
-                    ValidationParameters = new TokenValidationParameters
-                    {
-                        TokenDecryptionKey = signingCredentials512.Key,
-                        IssuerSigningKey = Default.SymmetricSigningKey256,
-                        ValidAudience = "http://Default.Audience.com",
-                        ValidIssuer = "http://Default.Issuer.com",
-                    },
-                    IsValid = true
                 }
             };
         }
@@ -4370,8 +4326,6 @@ public CreateTokenTheoryData(string testId) : base(testId)
         public IEnumerable<SecurityKey> ExpectedDecryptionKeys { get; set; }
 
         public Dictionary<string, object> ExpectedClaims { get; set; }
-
-        public bool EnableAppContextSwitch { get; set; } = false;
     }
 
     // Overrides CryptoProviderFactory.CreateAuthenticatedEncryptionProvider to create AuthenticatedEncryptionProviderMock that provides AesGcm encryption.

@@ -42,7 +42,7 @@ public static TheoryData<X509EncryptingCredentialsTheoryData> ConstructorsTheory
                 new X509EncryptingCredentialsTheoryData
                 {
                     Certificate = null,
-                    Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+                    Alg = SecurityAlgorithms.RsaOAEP,
                     Enc = SecurityAlgorithms.Aes128CbcHmacSha256,
                     ExpectedException = ExpectedException.ArgumentNullException("IDX10000: The parameter 'certificate'"),
                     TestId = "NullCertificate"
@@ -58,7 +58,7 @@ public static TheoryData<X509EncryptingCredentialsTheoryData> ConstructorsTheory
                 new X509EncryptingCredentialsTheoryData
                 {
                     Certificate = Default.Certificate,
-                    Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+                    Alg = SecurityAlgorithms.RsaOAEP,
                     Enc = String.Empty,
                     ExpectedException = ExpectedException.ArgumentNullException("IDX10000: The parameter 'enc'"),
                     TestId = "EmptyEncString"
@@ -74,15 +74,15 @@ public static TheoryData<X509EncryptingCredentialsTheoryData> ConstructorsTheory
                 new X509EncryptingCredentialsTheoryData
                 {
                     Certificate = Default.Certificate,
-                    Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+                    Alg = SecurityAlgorithms.RsaOAEP,
                     Enc = null,
                     ExpectedException = ExpectedException.ArgumentNullException("IDX10000: The parameter 'enc'"),
                     TestId = "NullEncString"
                 },
                 new X509EncryptingCredentialsTheoryData
                 {
                     Certificate = Default.Certificate,
-                    Alg = SecurityAlgorithms.RsaOaepKeyWrap,
+                    Alg =  SecurityAlgorithms.RsaOAEP,
                     Enc = SecurityAlgorithms.Aes128CbcHmacSha256,
                     TestId = "ValidTest"
                 }