diff --git a/src/DataProtection/DataProtection/src/KeyManagement/DefaultKeyResolver.cs b/src/DataProtection/DataProtection/src/KeyManagement/DefaultKeyResolver.cs index c16c8842ad12..2c60e6356bae 100644 --- a/src/DataProtection/DataProtection/src/KeyManagement/DefaultKeyResolver.cs +++ b/src/DataProtection/DataProtection/src/KeyManagement/DefaultKeyResolver.cs @@ -157,8 +157,9 @@ private bool CanCreateAuthenticatedEncryptor(IKey key, ref int retriesRemaining) // fallback code below and the hypothetical advantage of making it easier for instances // to choose the same key in the event of a race (though we never managed to show that // empirically. See also https://github.com/dotnet/aspnetcore/issues/57137. + var maxActivationDate = now + _maxServerToServerClockSkew; var preferredDefaultKey = (from key in allKeys - where key.ActivationDate <= now + _maxServerToServerClockSkew + where key.ActivationDate <= maxActivationDate orderby key.ActivationDate descending, key.KeyId ascending select key).FirstOrDefault(); @@ -192,13 +193,14 @@ private bool CanCreateAuthenticatedEncryptor(IKey key, ref int retriesRemaining) // Unlike for the preferred key, we don't choose a fallback key and then reject it if // CanCreateAuthenticatedEncryptor is false. We want to end up with *some* key, so we // keep trying until we find one that works. + var maxCreationDate = now - _keyPropagationWindow; var unrevokedKeys = allKeys.Where(key => !key.IsRevoked); fallbackKey = (from key in (from key in unrevokedKeys where !ReferenceEquals(key, preferredDefaultKey) // Don't reconsider it as a fallback - where key.CreationDate <= now - _keyPropagationWindow + where key.CreationDate <= maxCreationDate orderby key.CreationDate descending select key).Concat(from key in unrevokedKeys - where key.CreationDate > now - _keyPropagationWindow + where key.CreationDate > maxCreationDate orderby key.CreationDate ascending select key) where CanCreateAuthenticatedEncryptor(key, ref decryptRetriesRemaining)