From cb40870f366c5ccc9edb46df1cf5d2a319dadeb5 Mon Sep 17 00:00:00 2001
From: George Krechar <dokrecar@microsoft.com>
Date: Thu, 12 Dec 2019 10:16:39 -0800
Subject: [PATCH] Fix ECCurve comparison and add new credscan exclusion entry

* On some systems, the Oid.Value property is the primary referenced
identifier, while on others it's the Oid.FriendlyName property.
https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.eccurve.oid?view=netcore-3.0#remarks
---
 build/credscan-exclusion.json                      | 4 ++++
 src/Microsoft.IdentityModel.Tokens/ECDsaAdapter.cs | 8 ++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/build/credscan-exclusion.json b/build/credscan-exclusion.json
index dd8cf28e93..708ff2c2b2 100644
--- a/build/credscan-exclusion.json
+++ b/build/credscan-exclusion.json
@@ -40,6 +40,10 @@
     {
       "file": "SignedHttpRequestTestUtils.cs",
       "_justification": "File contains tokens that are used only for testing purposes."
+    },
+    {
+      "file": "JsonWebKeyTests.cs",
+      "_justification": "File contains tokens that are used only for testing purposes."
     }
   ]
 }
\ No newline at end of file
diff --git a/src/Microsoft.IdentityModel.Tokens/ECDsaAdapter.cs b/src/Microsoft.IdentityModel.Tokens/ECDsaAdapter.cs
index 2a497a5a4a..7c6aa893cf 100644
--- a/src/Microsoft.IdentityModel.Tokens/ECDsaAdapter.cs
+++ b/src/Microsoft.IdentityModel.Tokens/ECDsaAdapter.cs
@@ -378,14 +378,14 @@ internal string GetCrvParameterValue(ECCurve curve)
             if (curve.Oid == null)
                 throw LogHelper.LogArgumentNullException(nameof(curve.Oid));
 
-            if (string.Equals(curve.Oid.FriendlyName, ECCurve.NamedCurves.nistP256.Oid.FriendlyName, StringComparison.Ordinal))
+            if (string.Equals(curve.Oid.Value, ECCurve.NamedCurves.nistP256.Oid.Value, StringComparison.Ordinal) || string.Equals(curve.Oid.FriendlyName, ECCurve.NamedCurves.nistP256.Oid.FriendlyName, StringComparison.Ordinal))
                 return JsonWebKeyECTypes.P256;
-            else if (string.Equals(curve.Oid.FriendlyName, ECCurve.NamedCurves.nistP384.Oid.FriendlyName, StringComparison.Ordinal))
+            else if (string.Equals(curve.Oid.Value, ECCurve.NamedCurves.nistP384.Oid.Value, StringComparison.Ordinal) || string.Equals(curve.Oid.FriendlyName, ECCurve.NamedCurves.nistP384.Oid.FriendlyName, StringComparison.Ordinal))
                 return JsonWebKeyECTypes.P384;
-            else if (string.Equals(curve.Oid.FriendlyName, ECCurve.NamedCurves.nistP521.Oid.FriendlyName, StringComparison.Ordinal))
+            else if (string.Equals(curve.Oid.Value, ECCurve.NamedCurves.nistP521.Oid.Value, StringComparison.Ordinal) || string.Equals(curve.Oid.FriendlyName, ECCurve.NamedCurves.nistP521.Oid.FriendlyName, StringComparison.Ordinal))
                 return JsonWebKeyECTypes.P521;
             else
-                throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(LogMessages.IDX10645, curve.Oid.FriendlyName ?? "null")));
+                throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(LogMessages.IDX10645, (curve.Oid.Value ?? curve.Oid.FriendlyName) ?? "null")));
         }