RockSolidKnowledge · jhbritton-RSK · Dec 5, 2024 · Dec 11, 2024 · Dec 11, 2024 · Dec 11, 2024
diff --git a/.idea/.idea.OpenIddict/.idea/.gitignore b/.idea/.idea.OpenIddict/.idea/.gitignore
diff --git a/.idea/.idea.OpenIddict/.idea/.name b/.idea/.idea.OpenIddict/.idea/.name
diff --git a/.idea/.idea.OpenIddict/.idea/encodings.xml b/.idea/.idea.OpenIddict/.idea/encodings.xml
diff --git a/.idea/.idea.OpenIddict/.idea/indexLayout.xml b/.idea/.idea.OpenIddict/.idea/indexLayout.xml
diff --git a/.idea/.idea.OpenIddict/.idea/vcs.xml b/.idea/.idea.OpenIddict/.idea/vcs.xml
diff --git a/global.json b/global.json
@@ -1,25 +1,22 @@
 {
   "sdk": {
-    "version": "9.0.100",
-    "allowPrerelease": true,
-    "rollForward": "major"
+    "version": "9.0.0",
+    "rollForward": "major",
+    "allowPrerelease": true
   },
-
   "tools": {
     "dotnet": "9.0.100",
-
     "runtimes": {
       "aspnetcore": [
         "6.0.36",
         "8.0.11"
       ]
     }
   },
-
   "msbuild-sdks": {
     "Microsoft.DotNet.Arcade.Sdk": "8.0.0-beta.23516.4",
     "Microsoft.DotNet.Helix.Sdk": "8.0.0-beta.23516.4",
     "MSBuild.Sdk.Extras": "3.0.44",
     "MSBuild.SDK.SystemWeb": "4.0.88"
   }
-}
+}
diff --git a/src/OpenIddict.Server/IOpenIddictCredentialList.cs b/src/OpenIddict.Server/IOpenIddictCredentialList.cs
@@ -0,0 +1,16 @@
+using Microsoft.IdentityModel.Tokens;
+
+namespace OpenIddict.Server
+{
+    public interface IOpenIddictCredentialList<T> : IEnumerable<T>
+    {
+        public abstract SigningCredentials this[int index] { get; }
+        public abstract bool TrueForAll(Predicate<T> match);
+        public abstract bool Exists(Predicate<T> match);
+        public abstract T? Find(Predicate<T> match);
+        public abstract void Add(T item);
+        public abstract void AddRange(IEnumerable<T> items);
+        public abstract void Remove(string keyId);
+        public abstract void Clear();
+    }
+}
diff --git a/src/OpenIddict.Server/OpenIddictSecurityKeyExtensions.cs b/src/OpenIddict.Server/OpenIddictSecurityKeyExtensions.cs
@@ -0,0 +1,78 @@
+using System.Diagnostics;
+using Microsoft.IdentityModel.Tokens;
+
+namespace OpenIddict.Server
+{
+    public static class OpenIddictSecurityKeyExtensions
+    {
+        public static int Compare(SecurityKey left, SecurityKey right, DateTime now) => (left, right) switch
+        {
+            // If the two keys refer to the same instances, return 0.
+            ({ } first, { } second) when ReferenceEquals(first, second) => 0,
+
+            // If one of the keys is a symmetric key, prefer it to the other one.
+            (SymmetricSecurityKey, SymmetricSecurityKey)              =>  0,
+            (SymmetricSecurityKey, not SymmetricSecurityKey)          => -1,
+            (not SymmetricSecurityKey, SymmetricSecurityKey)          =>  1,
+
+            // If one of the keys is backed by a X.509 certificate, don't prefer it if it's not valid yet.
+            (X509SecurityKey first, not null) when first.Certificate.NotBefore  > now =>  1,
+            (not null, X509SecurityKey second) when second.Certificate.NotBefore > now => -1,
+
+            // If the two keys are backed by a X.509 certificate, prefer the one with the furthest expiration date.
+            (X509SecurityKey first, X509SecurityKey second) => -first.Certificate.NotAfter.CompareTo(second.Certificate.NotAfter),
+
+            // If one of the keys is backed by a X.509 certificate, prefer the X.509 security key.
+            (X509SecurityKey, not X509SecurityKey) => -1,
+            (not X509SecurityKey, X509SecurityKey) =>  1,
+
+            // If the two keys are not backed by a X.509 certificate, none should be preferred to the other.
+            (not X509SecurityKey, not X509SecurityKey) => 0
+        };
+
+        internal static string? GetKeyIdentifier(SecurityKey key)
+        {
+            // When no key identifier can be retrieved from the security keys, a value is automatically
+            // inferred from the hexadecimal representation of the certificate thumbprint (SHA-1)
+            // when the key is bound to a X.509 certificate or from the public part of the signing key.
+
+            if (key is X509SecurityKey x509SecurityKey)
+            {
+                return x509SecurityKey.Certificate.Thumbprint;
+            }
+
+            if (key is RsaSecurityKey rsaSecurityKey)
+            {
+                // Note: if the RSA parameters are not attached to the signing key,
+                // extract them by calling ExportParameters on the RSA instance.
+                var parameters = rsaSecurityKey.Parameters;
+                if (parameters.Modulus is null)
+                {
+                    parameters = rsaSecurityKey.Rsa.ExportParameters(includePrivateParameters: false);
+
+                    Debug.Assert(parameters.Modulus is not null, SR.GetResourceString(SR.ID4003));
+                }
+
+                // Only use the 40 first chars of the base64url-encoded modulus.
+                var identifier = Base64UrlEncoder.Encode(parameters.Modulus);
+                return identifier[..Math.Min(identifier.Length, 40)].ToUpperInvariant();
+            }
+
+#if SUPPORTS_ECDSA
+            if (key is ECDsaSecurityKey ecsdaSecurityKey)
+            {
+                // Extract the ECDSA parameters from the signing credentials.
+                var parameters = ecsdaSecurityKey.ECDsa.ExportParameters(includePrivateParameters: false);
+
+                Debug.Assert(parameters.Q.X is not null, SR.GetResourceString(SR.ID4004));
+
+                // Only use the 40 first chars of the base64url-encoded X coordinate.
+                var identifier = Base64UrlEncoder.Encode(parameters.Q.X);
+                return identifier[..Math.Min(identifier.Length, 40)].ToUpperInvariant();
+            }
+#endif
+
+            return null;
+        }
+    }
+}
diff --git a/src/OpenIddict.Server/OpenIddictServerConfiguration.cs b/src/OpenIddict.Server/OpenIddictServerConfiguration.cs
@@ -191,15 +191,15 @@ options.RevocationEndpointUris.Count    is not 0 ||
         {
             throw new InvalidOperationException(SR.GetResourceString(SR.ID0085));
         }
-
+        
         if (!options.SigningCredentials.Exists(static credentials => credentials.Key is AsymmetricSecurityKey))
         {
             throw new InvalidOperationException(SR.GetResourceString(SR.ID0086));
         }
 
         var now = (
 #if SUPPORTS_TIME_PROVIDER
-                options.TimeProvider?.GetUtcNow() ??
+                options.TimeProvider?.GetUtcNow().DateTime ??
 #endif
                 DateTimeOffset.UtcNow
             )
@@ -214,7 +214,7 @@ options.RevocationEndpointUris.Count    is not 0 ||
 
         // If all the registered signing credentials are backed by a X.509 certificate, at least one of them must be valid.
         if (options.SigningCredentials.TrueForAll(credentials => credentials.Key is X509SecurityKey x509SecurityKey &&
-               (x509SecurityKey.Certificate.NotBefore > now || x509SecurityKey.Certificate.NotAfter < now)))
+                                                                          (x509SecurityKey.Certificate.NotBefore > now || x509SecurityKey.Certificate.NotAfter < now)))
         {
             throw new InvalidOperationException(SR.GetResourceString(SR.ID0088));
         }
@@ -390,15 +390,15 @@ descriptor.Type is OpenIddictServerHandlerType.Custom &&
         options.Handlers.Sort(static (left, right) => left.Order.CompareTo(right.Order));
 
         // Sort the encryption and signing credentials.
-        options.EncryptionCredentials.Sort((left, right) => Compare(left.Key, right.Key, now));
-        options.SigningCredentials.Sort((left, right) => Compare(left.Key, right.Key, now));
+        options.EncryptionCredentials.Sort((left, right) => OpenIddictSecurityKeyExtensions.Compare(left.Key, right.Key, now));
+        // options.SigningCredentials.Sort((left, right) => OpenIddictServerOptionsExtensions.Compare(left.Key, right.Key, now));
 
         // Generate a key identifier for the encryption/signing keys that don't already have one.
         foreach (var key in options.EncryptionCredentials.Select(credentials => credentials.Key)
             .Concat(options.SigningCredentials.Select(credentials => credentials.Key))
             .Where(key => string.IsNullOrEmpty(key.KeyId)))
         {
-            key.KeyId = GetKeyIdentifier(key);
+            key.KeyId = OpenIddictSecurityKeyExtensions.GetKeyIdentifier(key);
         }
 
         // Attach the signing credentials to the token validation parameters.
@@ -410,75 +410,5 @@ from credentials in options.SigningCredentials
         options.TokenValidationParameters.TokenDecryptionKeys =
             from credentials in options.EncryptionCredentials
             select credentials.Key;
-
-        static int Compare(SecurityKey left, SecurityKey right, DateTime now) => (left, right) switch
-        {
-            // If the two keys refer to the same instances, return 0.
-            (SecurityKey first, SecurityKey second) when ReferenceEquals(first, second) => 0,
-
-            // If one of the keys is a symmetric key, prefer it to the other one.
-            (SymmetricSecurityKey, SymmetricSecurityKey) => 0,
-            (SymmetricSecurityKey, SecurityKey)          => -1,
-            (SecurityKey, SymmetricSecurityKey)          => 1,
-
-            // If one of the keys is backed by a X.509 certificate, don't prefer it if it's not valid yet.
-            (X509SecurityKey first, SecurityKey)  when first.Certificate.NotBefore  > now => 1,
-            (SecurityKey, X509SecurityKey second) when second.Certificate.NotBefore > now => -1,
-
-            // If the two keys are backed by a X.509 certificate, prefer the one with the furthest expiration date.
-            (X509SecurityKey first, X509SecurityKey second) => -first.Certificate.NotAfter.CompareTo(second.Certificate.NotAfter),
-
-            // If one of the keys is backed by a X.509 certificate, prefer the X.509 security key.
-            (X509SecurityKey, SecurityKey) => -1,
-            (SecurityKey, X509SecurityKey) => 1,
-
-            // If the two keys are not backed by a X.509 certificate, none should be preferred to the other.
-            (SecurityKey, SecurityKey) => 0
-        };
-
-        static string? GetKeyIdentifier(SecurityKey key)
-        {
-            // When no key identifier can be retrieved from the security keys, a value is automatically
-            // inferred from the hexadecimal representation of the certificate thumbprint (SHA-1)
-            // when the key is bound to a X.509 certificate or from the public part of the signing key.
-
-            if (key is X509SecurityKey x509SecurityKey)
-            {
-                return x509SecurityKey.Certificate.Thumbprint;
-            }
-
-            if (key is RsaSecurityKey rsaSecurityKey)
-            {
-                // Note: if the RSA parameters are not attached to the signing key,
-                // extract them by calling ExportParameters on the RSA instance.
-                var parameters = rsaSecurityKey.Parameters;
-                if (parameters.Modulus is null)
-                {
-                    parameters = rsaSecurityKey.Rsa.ExportParameters(includePrivateParameters: false);
-
-                    Debug.Assert(parameters.Modulus is not null, SR.GetResourceString(SR.ID4003));
-                }
-
-                // Only use the 40 first chars of the base64url-encoded modulus.
-                var identifier = Base64UrlEncoder.Encode(parameters.Modulus);
-                return identifier[..Math.Min(identifier.Length, 40)].ToUpperInvariant();
-            }
-
-#if SUPPORTS_ECDSA
-            if (key is ECDsaSecurityKey ecsdaSecurityKey)
-            {
-                // Extract the ECDSA parameters from the signing credentials.
-                var parameters = ecsdaSecurityKey.ECDsa.ExportParameters(includePrivateParameters: false);
-
-                Debug.Assert(parameters.Q.X is not null, SR.GetResourceString(SR.ID4004));
-
-                // Only use the 40 first chars of the base64url-encoded X coordinate.
-                var identifier = Base64UrlEncoder.Encode(parameters.Q.X);
-                return identifier[..Math.Min(identifier.Length, 40)].ToUpperInvariant();
-            }
-#endif
-
-            return null;
-        }
     }
 }
diff --git a/src/OpenIddict.Server/OpenIddictServerOptions.cs b/src/OpenIddict.Server/OpenIddictServerOptions.cs
@@ -53,9 +53,9 @@ public sealed class OpenIddictServerOptions
     ///   <item><description>X.509 keys are always preferred to non-X.509 asymmetric keys.</description></item>
     ///   <item><description>X.509 keys with the furthest expiration date are preferred.</description></item>
     ///   <item><description>X.509 keys whose backing certificate is not yet valid are never preferred.</description></item>
-    /// </list>
+    /// </list>n
     /// </remarks>
-    public List<SigningCredentials> SigningCredentials { get; } = [];
+    public IOpenIddictCredentialList<SigningCredentials> SigningCredentials { get; } = new OpenIddictSigningCredentialList([], null);
 
     /// <summary>
     /// Gets the absolute and relative URIs associated to the authorization endpoint.
@@ -170,7 +170,7 @@ public sealed class OpenIddictServerOptions
         },
         // Note: audience and lifetime are manually validated by OpenIddict itself.
         ValidateAudience = false,
-        ValidateLifetime = false
+        ValidateLifetime = false,
     };
 
     /// <summary>