Revert "Add support for RSA-OAEP 256 (#1293)"

This reverts commit 67da84e.
AzureAD · Jun 14, 2024 · 3f1697b · 3f1697b
1 parent b8b244b
commit 3f1697b
Show file tree

Hide file tree

Showing 10 changed files with 5 additions and 119 deletions.
diff --git a/src/Microsoft.IdentityModel.Tokens/AsymmetricAdapter.cs b/src/Microsoft.IdentityModel.Tokens/AsymmetricAdapter.cs
@@ -199,14 +199,9 @@ private void InitializeUsingRsa(RSA rsa, string algorithm)
                 RSASignaturePadding = RSASignaturePadding.Pkcs1;
             }
 
-            RSAEncryptionPadding = algorithm switch
-            {
-                SecurityAlgorithms.RsaOAEP => RSAEncryptionPadding.OaepSHA1,
-                SecurityAlgorithms.RsaOaepKeyWrap => RSAEncryptionPadding.OaepSHA1,
-                SecurityAlgorithms.RsaOAEP256 => RSAEncryptionPadding.OaepSHA256,
-                _ => RSAEncryptionPadding.Pkcs1
-            };
-
+            RSAEncryptionPadding = (algorithm.Equals(SecurityAlgorithms.RsaOAEP) || algorithm.Equals(SecurityAlgorithms.RsaOaepKeyWrap))
+                        ? RSAEncryptionPadding.OaepSHA1
+                        : RSAEncryptionPadding.Pkcs1;
             RSA = rsa;
             _decryptFunction = DecryptWithRsa;
             _encryptFunction = EncryptWithRsa;

diff --git a/src/Microsoft.IdentityModel.Tokens/SecurityAlgorithms.cs b/src/Microsoft.IdentityModel.Tokens/SecurityAlgorithms.cs
@@ -31,7 +31,6 @@ public static class SecurityAlgorithms
         public const string Aes256KW = "A256KW";
         public const string RsaPKCS1 = "RSA1_5";
         public const string RsaOAEP = "RSA-OAEP";
-        public const string RsaOAEP256 = "RSA-OAEP-256";
 
         // See: https://www.w3.org/TR/xmlenc-core1/#sec-Exclusive-Canonicalization
         public const string ExclusiveC14n = "http://www.w3.org/2001/10/xml-exc-c14n#";

diff --git a/src/Microsoft.IdentityModel.Tokens/SupportedAlgorithms.cs b/src/Microsoft.IdentityModel.Tokens/SupportedAlgorithms.cs
@@ -40,7 +40,6 @@ internal static class SupportedAlgorithms
         internal static readonly ICollection<string> RsaEncryptionAlgorithms = new Collection<string>
         {
             SecurityAlgorithms.RsaOAEP,
-            SecurityAlgorithms.RsaOAEP256,
             SecurityAlgorithms.RsaPKCS1,
             SecurityAlgorithms.RsaOaepKeyWrap
         };

diff --git a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandlerTests.cs
@@ -2744,30 +2744,6 @@ public static TheoryData<CreateTokenTheoryData> RoundTripJWEKeyWrapTestCases
                         EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes128CbcHmacSha256)
                     },
                     new CreateTokenTheoryData
-                    {
-                        TestId = "RsaOAEP256_Aes128CbcHmacSha256",
-                        ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
-                        Payload = Default.PayloadString,
-                        SigningCredentials = Default.SymmetricSigningCredentials,
-                        EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes128CbcHmacSha256)
-                    },
-                    new CreateTokenTheoryData
-                    {
-                        TestId = "RsaOAEP256_Aes192CbcHmacSha384",
-                        ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
-                        Payload = Default.PayloadString,
-                        SigningCredentials = Default.SymmetricSigningCredentials,
-                        EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes192CbcHmacSha384)
-                    },
-                    new CreateTokenTheoryData
-                    {
-                        TestId = "RsaOAEP256_Aes256CbcHmacSha512",
-                        ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
-                        Payload = Default.PayloadString,
-                        SigningCredentials = Default.SymmetricSigningCredentials,
-                        EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes256CbcHmacSha512)
-                    },
-                    new CreateTokenTheoryData
                     {
                         TestId = "RsaOAEP_Aes192CbcHmacSha384",
                         ValidationParameters = Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),

diff --git a/test/Microsoft.IdentityModel.KeyVaultExtensions.Tests/KeyVaultKeyWrapProviderTests.cs b/test/Microsoft.IdentityModel.KeyVaultExtensions.Tests/KeyVaultKeyWrapProviderTests.cs
@@ -59,12 +59,6 @@ public static TheoryData<KeyWrapProviderTheoryData> DisposeProviderTheoryData
                     ExpectedException = ExpectedException.NoExceptionExpected,
                     TestId = nameof(SecurityAlgorithms.RsaOAEP),
                 },
-                new KeyWrapProviderTheoryData
-                {
-                    Algorithm = SecurityAlgorithms.RsaOAEP256,
-                    ExpectedException = ExpectedException.NoExceptionExpected,
-                    TestId = nameof(SecurityAlgorithms.RsaOAEP256),
-                },
             };
         }
 

diff --git a/test/Microsoft.IdentityModel.Tokens.Tests/KeyVaultVerify.cs b/test/Microsoft.IdentityModel.Tokens.Tests/KeyVaultVerify.cs
@@ -28,7 +28,6 @@ public void DecryptValidate(KeyWrapTestParams testParams)
                 CryptoProviderFactory.Default.ReleaseKeyWrapProvider(keyWrapProvider);
             }
             else if (testParams.Algorithm.Equals(SecurityAlgorithms.RsaOAEP, StringComparison.OrdinalIgnoreCase)
-                    || testParams.Algorithm.Equals(SecurityAlgorithms.RsaOAEP256, StringComparison.OrdinalIgnoreCase)
                     || testParams.Algorithm.Equals(SecurityAlgorithms.RsaPKCS1, StringComparison.OrdinalIgnoreCase))
             {
                 var keyWrapProvider = CryptoProviderFactory.Default.CreateKeyWrapProvider(testParams.Key, testParams.Algorithm);

diff --git a/test/Microsoft.IdentityModel.Tokens.Tests/ReferenceTests.cs b/test/Microsoft.IdentityModel.Tokens.Tests/ReferenceTests.cs
@@ -182,9 +182,7 @@ public void KeyWrapReferenceTest(KeyWrapTestParams testParams)
                 Assert.True(Utility.AreEqual(unwrappedKey, testParams.KeyToWrap), "Utility.AreEqual(unwrappedKey, testParams.KeyToWrap)");
             }
             else if (testParams.Algorithm.Equals(SecurityAlgorithms.RsaOAEP, StringComparison.OrdinalIgnoreCase)
-                    || testParams.Algorithm.Equals(SecurityAlgorithms.RsaPKCS1, StringComparison.OrdinalIgnoreCase)
-                    || testParams.Algorithm.Equals(SecurityAlgorithms.RsaOAEP256, StringComparison.OrdinalIgnoreCase)
-                    )
+                    || testParams.Algorithm.Equals(SecurityAlgorithms.RsaPKCS1, StringComparison.OrdinalIgnoreCase))
             {
                 var rsaKeyWrapProvider = CryptoProviderFactory.Default.CreateKeyWrapProvider(testParams.Key, testParams.Algorithm);
                 byte[] unwrappedKey = rsaKeyWrapProvider.UnwrapKey(testParams.EncryptedKey);

diff --git a/test/Microsoft.IdentityModel.Tokens.Tests/RsaKeyWrapProviderTests.cs b/test/Microsoft.IdentityModel.Tokens.Tests/RsaKeyWrapProviderTests.cs
@@ -103,14 +103,6 @@ public static TheoryData<KeyWrapTheoryData> RsaKeyWrapConstructorTheoryData()
                     WrapKey = KeyingMaterial.RsaSecurityKey_1024
                 },
                 new KeyWrapTheoryData
-                {
-                    ExpectedException =  ExpectedException.SecurityTokenKeyWrapException("IDX10661:"),
-                    TestId = "KeyTooSmall1024",
-                    WillUnwrap = false,
-                    WrapAlgorithm = SecurityAlgorithms.RsaOAEP256,
-                    WrapKey = KeyingMaterial.RsaSecurityKey_1024
-                },
-                new KeyWrapTheoryData
                 {
                     ExpectedException = ExpectedException.SecurityTokenKeyWrapException("IDX10661:"),
                     TestId = "KeyDoesNotMatchAlgorithm",
@@ -213,38 +205,11 @@ public static TheoryData<KeyWrapTheoryData> RsaUnwrapMismatchTheoryData()
                 new KeyWrapTheoryData
                 {
                     ExpectedException = ExpectedException.KeyWrapException("IDX10659:"),
-                    TestId = "AlgorithmAndKeyMismatchRsaPKCS1Bits4096RsaOAEPKey2048",
+                    TestId = "AlgorithmAndKeyMismatchRsaPKCS1Bits4096RsaOAEKey2048",
                     UnwrapAlgorithm = SecurityAlgorithms.RsaOAEP,
                     UnwrapKey = KeyingMaterial.RsaSecurityKey_2048,
                     WrapAlgorithm = SecurityAlgorithms.RsaPKCS1,
                     WrapKey = KeyingMaterial.RsaSecurityKey_4096_Public,
-                },
-                new KeyWrapTheoryData
-                {
-                    ExpectedException = ExpectedException.KeyWrapException("IDX10659:"),
-                    TestId = "AlgorithmMismatchRsaPKCS1RsaOAEP256",
-                    UnwrapAlgorithm = SecurityAlgorithms.RsaOAEP256,
-                    UnwrapKey = KeyingMaterial.RsaSecurityKey_2048,
-                    WrapAlgorithm = SecurityAlgorithms.RsaPKCS1,
-                    WrapKey = KeyingMaterial.RsaSecurityKey_2048_Public
-                },
-                new KeyWrapTheoryData
-                {
-                    ExpectedException = ExpectedException.KeyWrapException("IDX10659:"),
-                    TestId = "KeyMismatchRsa4096Rsa2048",
-                    UnwrapAlgorithm = SecurityAlgorithms.RsaOAEP256,
-                    UnwrapKey = KeyingMaterial.RsaSecurityKey_2048,
-                    WrapAlgorithm = SecurityAlgorithms.RsaOAEP,
-                    WrapKey = KeyingMaterial.RsaSecurityKey_4096_Public,
-                },
-                new KeyWrapTheoryData
-                {
-                    ExpectedException = ExpectedException.KeyWrapException("IDX10659:"),
-                    TestId = "AlgorithmAndKeyMismatchRsaPKCS1Bits4096RsaOAEP256Key2048",
-                    UnwrapAlgorithm = SecurityAlgorithms.RsaOAEP256,
-                    UnwrapKey = KeyingMaterial.RsaSecurityKey_2048,
-                    WrapAlgorithm = SecurityAlgorithms.RsaPKCS1,
-                    WrapKey = KeyingMaterial.RsaSecurityKey_4096_Public,
                 }
             };
         }
@@ -403,13 +368,6 @@ public static TheoryData<KeyWrapTheoryData> RsaWrapUnwrapTheoryData()
                 ExpectedException.ArgumentNullException(),
                 theoryData);
 
-            AddWrapUnwrapTheoryData(
-                "Test4",
-                SecurityAlgorithms.RsaOAEP256,
-                KeyingMaterial.RsaSecurityKey_2048_Public,
-                KeyingMaterial.RsaSecurityKey_2048,
-                theoryData);
-
             return theoryData;
         }
 

diff --git a/test/System.IdentityModel.Tokens.Jwt.Tests/CreateAndValidateTokens.cs b/test/System.IdentityModel.Tokens.Jwt.Tests/CreateAndValidateTokens.cs
@@ -799,30 +799,6 @@ public static TheoryData<string, SecurityTokenDescriptor, TokenValidationParamet
                 ExpectedException.NoExceptionExpected
             );
 
-            encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes128CbcHmacSha256);
-            theoryData.Add(
-                "RsaOAEP256-Aes128CbcHmacSha256",
-                Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
-                Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
-                ExpectedException.NoExceptionExpected
-            );
-
-            encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes192CbcHmacSha384);
-            theoryData.Add(
-                "RsaOAEP256-Aes192CbcHmacSha384",
-                Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
-                Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
-                ExpectedException.NoExceptionExpected
-            );
-
-            encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes256CbcHmacSha512);
-            theoryData.Add(
-                "RsaOAEP256-Aes256CbcHmacSha512",
-                Default.SecurityTokenDescriptor(encryptingCredentials, Default.SymmetricSigningCredentials, ClaimSets.DefaultClaims),
-                Default.TokenValidationParameters(KeyingMaterial.RsaSecurityKey_2048, Default.SymmetricSigningKey256),
-                ExpectedException.NoExceptionExpected
-            );
-
             encryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaOaepKeyWrap, SecurityAlgorithms.Aes128CbcHmacSha256);
             theoryData.Add(
                 "RsaOaepKeyWrap-Aes128CbcHmacSha256",

diff --git a/test/System.IdentityModel.Tokens.Jwt.Tests/JwtSecurityTokenHandlerTests.cs b/test/System.IdentityModel.Tokens.Jwt.Tests/JwtSecurityTokenHandlerTests.cs
@@ -2767,7 +2767,6 @@ public static TheoryData<KeyWrapTokenTheoryData> KeyWrapTokenTheoryData()
             var theoryData = new TheoryData<KeyWrapTokenTheoryData>();
             var handler = new JwtSecurityTokenHandler();
             var rsaOAEPEncryptingCredential = new EncryptingCredentials(KeyingMaterial.DefaultX509Key_2048, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes256CbcHmacSha512);
-            var rsaOAEP256EncryptingCredential = new EncryptingCredentials(KeyingMaterial.DefaultX509Key_2048, SecurityAlgorithms.RsaOAEP256, SecurityAlgorithms.Aes256CbcHmacSha512);
             var rsaPKCS1EncryptingCredential = new EncryptingCredentials(KeyingMaterial.DefaultX509Key_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes256CbcHmacSha512);
 
             theoryData.Add(new KeyWrapTokenTheoryData
@@ -2777,13 +2776,6 @@ public static TheoryData<KeyWrapTokenTheoryData> KeyWrapTokenTheoryData()
                 TestId = "Key wrap token test using OAEP padding"
             });
 
-            theoryData.Add(new KeyWrapTokenTheoryData
-            {
-                EncryptingCredentials = rsaOAEP256EncryptingCredential,
-                DecryptingCredentials = rsaOAEP256EncryptingCredential,
-                TestId = "Key wrap token test using OAEP-256 padding"
-            });
-
             theoryData.Add(new KeyWrapTokenTheoryData
             {
                 EncryptingCredentials = rsaPKCS1EncryptingCredential,