Fix KeyNotFoundException in CryptographyProvider.Verify

When a password hash is missing the 'iterations' parameter, Verify now
throws a descriptive FormatException instead of KeyNotFoundException.

- Extract GetIterationsParameter() helper method to avoid code duplication
- Provide distinct error messages for missing vs invalid parameters
- Add comprehensive unit tests for CryptographyProvider

1 files changed, 25 insertions, 2 deletions

diff --git a/Emby.Server.Implementations/Cryptography/CryptographyProvider.cs b/Emby.Server.Implementations/Cryptography/CryptographyProvider.cs
index 5380c45d8..0381c4d35 100644
--- a/Emby.Server.Implementations/Cryptography/CryptographyProvider.cs
+++ b/Emby.Server.Implementations/Cryptography/CryptographyProvider.cs
@@ -39,22 +39,24 @@ namespace Emby.Server.Implementations.Cryptography
         {
             if (string.Equals(hash.Id, "PBKDF2", StringComparison.Ordinal))
             {
+                var iterations = GetIterationsParameter(hash);
                 return hash.Hash.SequenceEqual(
                     Rfc2898DeriveBytes.Pbkdf2(
                         password,
                         hash.Salt,
-                        int.Parse(hash.Parameters["iterations"], CultureInfo.InvariantCulture),
+                        iterations,
                         HashAlgorithmName.SHA1,
                         32));
             }
 
             if (string.Equals(hash.Id, "PBKDF2-SHA512", StringComparison.Ordinal))
             {
+                var iterations = GetIterationsParameter(hash);
                 return hash.Hash.SequenceEqual(
                     Rfc2898DeriveBytes.Pbkdf2(
                         password,
                         hash.Salt,
-                        int.Parse(hash.Parameters["iterations"], CultureInfo.InvariantCulture),
+                        iterations,
                         HashAlgorithmName.SHA512,
                         DefaultOutputLength));
             }
@@ -62,6 +64,27 @@ namespace Emby.Server.Implementations.Cryptography
             throw new NotSupportedException($"Can't verify hash with id: {hash.Id}");
         }
 
+        /// <summary>
+        /// Extracts and validates the iterations parameter from a password hash.
+        /// </summary>
+        /// <param name="hash">The password hash containing parameters.</param>
+        /// <returns>The number of iterations.</returns>
+        /// <exception cref="FormatException">Thrown when iterations parameter is missing or invalid.</exception>
+        private static int GetIterationsParameter(PasswordHash hash)
+        {
+            if (!hash.Parameters.TryGetValue("iterations", out var iterationsStr))
+            {
+                throw new FormatException($"Password hash with id '{hash.Id}' is missing required 'iterations' parameter.");
+            }
+
+            if (!int.TryParse(iterationsStr, CultureInfo.InvariantCulture, out var iterations))
+            {
+                throw new FormatException($"Password hash with id '{hash.Id}' has invalid 'iterations' parameter: '{iterationsStr}'.");
+            }
+
+            return iterations;
+        }
+
         /// <inheritdoc />
         public byte[] GenerateSalt()
             => GenerateSalt(DefaultSaltLength);