created helper method for validating key sizes

use ArgumentOutOfRangeException instead of InvalidOperation exception.
AzureAD · May 8, 2023 · 25545cd · 25545cd
1 parent 008e2f7
commit 25545cd
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 61 deletions.
diff --git a/src/Microsoft.IdentityModel.Tokens/CryptoProviderFactory.cs b/src/Microsoft.IdentityModel.Tokens/CryptoProviderFactory.cs
@@ -445,82 +445,40 @@ public virtual KeyedHashAlgorithm CreateKeyedHashAlgorithm(byte[] keyBytes, stri
             {
                 case SecurityAlgorithms.Aes128CbcHmacSha256:
                 {
-                        if (keyBytes.Length < 16)
-                            throw LogHelper.LogExceptionMessage(
-                                new InvalidOperationException(
-                                    LogHelper.FormatInvariant(LogMessages.IDX10720,
-                                    LogHelper.MarkAsNonPII(algorithm),
-                                    LogHelper.MarkAsNonPII("128"),
-                                    LogHelper.MarkAsNonPII(keyBytes.Length * 8))));
-
-                        return new HMACSHA256(keyBytes);
+                    ValidateKeySize(keyBytes, algorithm, 16);
+                    return new HMACSHA256(keyBytes);
                 }
 
                 case SecurityAlgorithms.Aes192CbcHmacSha384:
                 {
-                    if (keyBytes.Length < 24)
-                        throw LogHelper.LogExceptionMessage(
-                            new InvalidOperationException(
-                                LogHelper.FormatInvariant(LogMessages.IDX10720,
-                                LogHelper.MarkAsNonPII(algorithm),
-                                LogHelper.MarkAsNonPII("192"),
-                                LogHelper.MarkAsNonPII(keyBytes.Length * 8))));
-
+                    ValidateKeySize(keyBytes, algorithm, 24);
                     return new HMACSHA384(keyBytes);
                 }
 
                 case SecurityAlgorithms.Aes256CbcHmacSha512:
                 {
-                    if (keyBytes.Length < 32)
-                        throw LogHelper.LogExceptionMessage(
-                            new InvalidOperationException(
-                                LogHelper.FormatInvariant(LogMessages.IDX10720,
-                                LogHelper.MarkAsNonPII(algorithm),
-                                LogHelper.MarkAsNonPII("256"),
-                                LogHelper.MarkAsNonPII(keyBytes.Length * 8))));
-
+                    ValidateKeySize(keyBytes, algorithm, 32);
                     return new HMACSHA512(keyBytes);
                 }
 
                 case SecurityAlgorithms.HmacSha256Signature:
                 case SecurityAlgorithms.HmacSha256:
                 {
-                        if (keyBytes.Length < 32)
-                        throw LogHelper.LogExceptionMessage(
-                            new InvalidOperationException(
-                                LogHelper.FormatInvariant(LogMessages.IDX10720,
-                                LogHelper.MarkAsNonPII(algorithm),
-                                LogHelper.MarkAsNonPII("256"),
-                                LogHelper.MarkAsNonPII(keyBytes.Length * 8))));
-
+                    ValidateKeySize(keyBytes, algorithm, 32);
                     return new HMACSHA256(keyBytes);
                 }
 
                 case SecurityAlgorithms.HmacSha384Signature:
                 case SecurityAlgorithms.HmacSha384:
                 {
-                    if (keyBytes.Length < 48)
-                        throw LogHelper.LogExceptionMessage(
-                            new InvalidOperationException(
-                                LogHelper.FormatInvariant(LogMessages.IDX10720,
-                                LogHelper.MarkAsNonPII(algorithm),
-                                LogHelper.MarkAsNonPII("384"),
-                                LogHelper.MarkAsNonPII(keyBytes.Length * 8))));
-
+                    ValidateKeySize(keyBytes, algorithm, 48);
                     return new HMACSHA384(keyBytes);
                 }
 
                 case SecurityAlgorithms.HmacSha512Signature:
                 case SecurityAlgorithms.HmacSha512:
                 {
-                    if (keyBytes.Length < 64)
-                        throw LogHelper.LogExceptionMessage(
-                            new InvalidOperationException(
-                                LogHelper.FormatInvariant(LogMessages.IDX10720,
-                                LogHelper.MarkAsNonPII(algorithm),
-                                LogHelper.MarkAsNonPII("512"),
-                                LogHelper.MarkAsNonPII(keyBytes.Length * 8))));
-
+                    ValidateKeySize(keyBytes, algorithm, 64);
                     return new HMACSHA512(keyBytes);
                 }
 
@@ -529,6 +487,18 @@ public virtual KeyedHashAlgorithm CreateKeyedHashAlgorithm(byte[] keyBytes, stri
             }
         }
 
+        private static void ValidateKeySize(byte[] keyBytes, string algorithm, int expectedNumberOfBytes)
+        {
+            if (keyBytes.Length < expectedNumberOfBytes)
+                throw LogHelper.LogExceptionMessage(
+                    new ArgumentOutOfRangeException(
+                        nameof(keyBytes),
+                        LogHelper.FormatInvariant(LogMessages.IDX10720,
+                            LogHelper.MarkAsNonPII(algorithm),
+                            LogHelper.MarkAsNonPII(expectedNumberOfBytes * 8),
+                            LogHelper.MarkAsNonPII(keyBytes.Length * 8))));
+        }
+
         private SignatureProvider CreateSignatureProvider(SecurityKey key, string algorithm, bool willCreateSignatures, bool cacheProvider)
         {
             if (key == null)

diff --git a/test/Microsoft.IdentityModel.Tokens.Tests/SignatureProviderTests.cs b/test/Microsoft.IdentityModel.Tokens.Tests/SignatureProviderTests.cs
@@ -549,7 +549,7 @@ public static TheoryData<SignatureProviderTheoryData> SymmetricSignatureProvider
             }
         }
 
-        [Theory, MemberData(nameof(SymmetricVerifySingatureSizeTheoryData))]
+        [Theory, MemberData(nameof(SymmetricVerifySignatureSizeTheoryData))]
         public void SymmetricVerify1Tests(SignatureProviderTheoryData theoryData)
         {
             // verifies: public bool Verify(byte[] input, byte[] signature)
@@ -567,7 +567,7 @@ public void SymmetricVerify1Tests(SignatureProviderTheoryData theoryData)
             TestUtilities.AssertFailIfErrors(context);
         }
 
-        [Theory, MemberData(nameof(SymmetricVerifySingatureSizeTheoryData))]
+        [Theory, MemberData(nameof(SymmetricVerifySignatureSizeTheoryData))]
         public void SymmetricVerify2Tests(SignatureProviderTheoryData theoryData)
         {
             // verifies: public bool Verify(byte[] input, byte[] signature, int length)
@@ -585,7 +585,7 @@ public void SymmetricVerify2Tests(SignatureProviderTheoryData theoryData)
             TestUtilities.AssertFailIfErrors(context);
         }
 
-        [Theory, MemberData(nameof(SymmetricVerifySingatureSizeTheoryData))]
+        [Theory, MemberData(nameof(SymmetricVerifySignatureSizeTheoryData))]
         public void SymmetricVerify3Tests(SignatureProviderTheoryData theoryData)
         {
             // verifies: public override bool Verify(byte[] input, int inputOffset, int inputLength, byte[] signature, int signatureOffset, int signatureLength)
@@ -603,7 +603,7 @@ public void SymmetricVerify3Tests(SignatureProviderTheoryData theoryData)
             TestUtilities.AssertFailIfErrors(context);
         }
 
-        public static TheoryData<SignatureProviderTheoryData> SymmetricVerifySingatureSizeTheoryData
+        public static TheoryData<SignatureProviderTheoryData> SymmetricVerifySignatureSizeTheoryData
         {
             get
             {
@@ -634,7 +634,7 @@ public static TheoryData<SignatureProviderTheoryData> SymmetricVerifySingatureSi
             }
         }
 
-        [Theory, MemberData(nameof(SymmetricVerifySingatureSizeInternalTheoryData))]
+        [Theory, MemberData(nameof(SymmetricVerifySignatureSizeInternalTheoryData))]
         public void SymmetricVerify4Tests(SignatureProviderTheoryData theoryData)
         {
             // verifies: internal bool Verify(byte[] input, int inputOffset, int inputLength, byte[] signature, int signatureOffset, int signatureLength, string algorithm)
@@ -652,7 +652,7 @@ public void SymmetricVerify4Tests(SignatureProviderTheoryData theoryData)
             TestUtilities.AssertFailIfErrors(context);
         }
 
-        public static TheoryData<SignatureProviderTheoryData> SymmetricVerifySingatureSizeInternalTheoryData
+        public static TheoryData<SignatureProviderTheoryData> SymmetricVerifySignatureSizeInternalTheoryData
         {
             get
             {
@@ -767,14 +767,14 @@ public static TheoryData<SymmetricSignatureProviderTheoryData> SymmetricSecurity
             {
                 SecurityKey = new SymmetricSecurityKey(new byte[16]),
                 Algorithm = ALG.HmacSha256Signature,
-                ExpectedException = EE.InvalidOperationException("IDX10720:")
+                ExpectedException = EE.ArgumentOutOfRangeException("IDX10720:")
             });
 
             theoryData.Add(new SymmetricSignatureProviderTheoryData("HmacSha256")
             {
                 SecurityKey = new SymmetricSecurityKey(new byte[16]),
                 Algorithm = ALG.HmacSha256,
-                ExpectedException = EE.InvalidOperationException("IDX10720:")
+                ExpectedException = EE.ArgumentOutOfRangeException("IDX10720:")
             });
 
             theoryData.Add(new SymmetricSignatureProviderTheoryData("HmacSha256_32")
@@ -787,14 +787,14 @@ public static TheoryData<SymmetricSignatureProviderTheoryData> SymmetricSecurity
             {
                 SecurityKey = new SymmetricSecurityKey(new byte[32]),
                 Algorithm = ALG.HmacSha384Signature,
-                ExpectedException = EE.InvalidOperationException("IDX10720:")
+                ExpectedException = EE.ArgumentOutOfRangeException("IDX10720:")
             });
 
             theoryData.Add(new SymmetricSignatureProviderTheoryData("HmacSha384")
             {
                 SecurityKey = new SymmetricSecurityKey(new byte[32]),
                 Algorithm = ALG.HmacSha384,
-                ExpectedException = EE.InvalidOperationException("IDX10720:")
+                ExpectedException = EE.ArgumentOutOfRangeException("IDX10720:")
             });
 
             theoryData.Add(new SymmetricSignatureProviderTheoryData("HmacSha384_48")
@@ -807,14 +807,14 @@ public static TheoryData<SymmetricSignatureProviderTheoryData> SymmetricSecurity
             {
                 SecurityKey = new SymmetricSecurityKey(new byte[48]),
                 Algorithm = ALG.HmacSha512Signature,
-                ExpectedException = EE.InvalidOperationException("IDX10720:")
+                ExpectedException = EE.ArgumentOutOfRangeException("IDX10720:")
             });
 
             theoryData.Add(new SymmetricSignatureProviderTheoryData("HmacSha512")
             {
                 SecurityKey = new SymmetricSecurityKey(new byte[48]),
                 Algorithm = ALG.HmacSha512,
-                ExpectedException = EE.InvalidOperationException("IDX10720:")
+                ExpectedException = EE.ArgumentOutOfRangeException("IDX10720:")
             });
 
             theoryData.Add(new SymmetricSignatureProviderTheoryData("HmacSha512_64")