From 42f9aa48399a1725d0b20411fa06edcc83b0e951 Mon Sep 17 00:00:00 2001
From: Peter <34331512+pmaytak@users.noreply.github.com>
Date: Wed, 19 Feb 2025 11:46:41 -0800
Subject: [PATCH] Add test cases.

---
 .../JsonWebTokenHandler.DecryptTokenTests.cs  | 49 +++++++++++++++++--
 1 file changed, 44 insertions(+), 5 deletions(-)

diff --git a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.DecryptTokenTests.cs b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.DecryptTokenTests.cs
index 05c138ea9d..ba3f71804b 100644
--- a/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.DecryptTokenTests.cs
+++ b/test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.DecryptTokenTests.cs
@@ -121,7 +121,10 @@ static Dictionary<string, object> AdditionalEcdhEsHeaderParameters(JsonWebKey pu
                     return additionalHeaderParams;
                 }
 #endif
-                var configurationThatThrows = CreateCustomConfigurationThatThrows();
+                var rsaKey = new RsaSecurityKey(KeyingMaterial.RsaParameters_2048) { KeyId = "CustomRsaSecurityKey_2048" };
+                var configurationThatThrows = CreateCustomConfigurationThatThrows(rsaKey);
+
+                var configurationWithMismatchedKeys = new CustomConfiguration(rsaKey);
 
                 return new TheoryData<TokenDecryptingTheoryData>
                 {
@@ -253,12 +256,50 @@ static Dictionary<string, object> AdditionalEcdhEsHeaderParameters(JsonWebKey pu
                             ValidationFailureType.TokenDecryptionFailed,
                             typeof(SecurityTokenDecryptionFailedException),
                             null),
-                   },
+                    },
+                    new TokenDecryptingTheoryData
+                    {
+                        TestId = "KeyIdMismatch_TryAllDecryptionKeysTrue_DecryptionSucceeds",
+                        SecurityTokenDescriptor =  new SecurityTokenDescriptor
+                        {
+                            SigningCredentials = KeyingMaterial.JsonWebKeyRsa256SigningCredentials,
+                            EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes128CbcHmacSha256),
+                            Claims = Default.PayloadDictionary
+                        },
+                        ValidationParameters = new ValidationParameters(), // TryAllDecryptionKeys is true by default
+                        Configuration = configurationWithMismatchedKeys,
+                        Result = "eyJhbGciOiJSUzI1NiIsImtpZCI6Ikpzb25XZWJLZXlSc2FfMjA0OCIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwOi8vRGVmYXVsdC5BdWRpZW5jZS5jb20iLCJhenAiOiJodHRwOi8vRGVmYXVsdC5BenAuY29tIiwiZW1haWwiOiJCb2JAY29udG9zby5jb20iLCJleHAiOiIyNTM0MDIzMDA3OTkiLCJnaXZlbl9uYW1lIjoiQm9iIiwiaXNzIjoiaHR0cDovL0RlZmF1bHQuSXNzdWVyLmNvbSIsImlhdCI6IjE0ODk3NzU2MTciLCJqdGkiOiJKdGkiLCJuYmYiOiIxNDg5Nzc1NjE3In0.Et69LAC4sn6nNm_HNz_AnJ8siLT6LRTjDSb1aY8APcwJmPn-TxU-8GG5_bmNkoVukR7hkYG2JuWPxJKbjDd73BlmelaiyZBoPUyU0S-GX3XgyC2v_CkOq4yYbtD-kq5s7kNNj5QJjZDq0oJeqcUMrq4xRWATPtUMkIZ0GpEhO_C5MFxT8jAWe_a2gyUA4KoibalKtkYgFvgLcvyZJhUx7AERbli6b7OkUksFp9zIwmc_jZZCXJ_F_wASyj9KgHQKN9VHER3bB2zQeWHR0q32ODYC4ggsan-Nkm-jIsATi2tgkKzROzK55dy8ZdFArXUYJRpI_raYkTUHRK_wP3GqtQ",
+                    },
+                    new TokenDecryptingTheoryData
+                    {
+                        TestId = "KeyIdMismatch_TryAllDecryptionKeysFalse_DecryptionFails",
+                        ExpectedException = ExpectedException.SecurityTokenDecryptionFailedException("IDX10609:"),
+                        SecurityTokenDescriptor =  new SecurityTokenDescriptor
+                        {
+                            SigningCredentials = KeyingMaterial.JsonWebKeyRsa256SigningCredentials,
+                            EncryptingCredentials = new EncryptingCredentials(KeyingMaterial.RsaSecurityKey_2048, SecurityAlgorithms.RsaPKCS1, SecurityAlgorithms.Aes128CbcHmacSha256),
+                            Claims = Default.PayloadDictionary
+                        },
+                        ValidationParameters = new ValidationParameters
+                        {
+                            TryAllDecryptionKeys = false,
+                        },
+                        Configuration = configurationWithMismatchedKeys,
+                        Result = new ValidationError(
+                            new MessageDetail(
+                                TokenLogMessages.IDX10609,
+                                LogHelper.MarkAsSecurityArtifact(
+                                    new JsonWebToken(ReferenceTokens.JWEDirectEncryptionUnsignedInnerJWTWithAdditionalHeaderClaims),
+                                    JwtTokenUtilities.SafeLogJwtToken)),
+                            ValidationFailureType.TokenDecryptionFailed,
+                            typeof(SecurityTokenDecryptionFailedException),
+                            null),
+                    },
                 };
             }
         }
 
-        private static CustomConfiguration CreateCustomConfigurationThatThrows()
+        private static CustomConfiguration CreateCustomConfigurationThatThrows(SecurityKey rsaKey)
         {
             var customCryptoProviderFactory = new DerivedCryptoProviderFactory
             {
@@ -269,8 +310,6 @@ private static CustomConfiguration CreateCustomConfigurationThatThrows()
             var sym512Hey = new SymmetricSecurityKey(KeyingMaterial.DefaultSymmetricKeyBytes_512) { KeyId = "CustomSymmetricSecurityKey_512" };
             sym512Hey.CryptoProviderFactory = customCryptoProviderFactory;
 
-            var rsaKey = new RsaSecurityKey(KeyingMaterial.RsaParameters_2048) { KeyId = "CustomRsaSecurityKey_2048" };
-
             var configurationWithCustomCryptoProviderFactory = new CustomConfiguration(rsaKey);
             configurationWithCustomCryptoProviderFactory.TokenDecryptionKeys.Add(sym512Hey);