Extensions.Configuration.Xml -> XmlDocumentDecryptor: How to provide encryption algorithm?

[marlon-tucker]

Hello,

I've been trying to determine how the following class can be used:

https://github.com/dotnet/runtime/blob/main/src/libraries/Microsoft.Extensions.Configuration.Xml/src/XmlDocumentDecryptor.cs

From what I can see, it creates a new EncryptedXml class and then calls DecryptDocument:

runtime/src/libraries/Microsoft.Extensions.Configuration.Xml/src/XmlDocumentDecryptor.cs

Lines 95 to 96 in 5c0c317

	EncryptedXml encryptedXml = _encryptedXmlFactory?.Invoke(document) ?? new EncryptedXml(document);
	encryptedXml.DecryptDocument();

However, reading the documentation for the EncryptedXml class, it indicates an encryption algorithm should be set before calling the DecrpytDocument method, and I can't see any way that can be achieved. The factory method appears to be only used for testing and there's no way to provide an alternative decryptor to the standard XmlConfigurationProvider.

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.xml.encryptedxml.decryptdocument?view=dotnet-plat-ext-6.0

        // Add a key-name mapping.
        // This method can only decrypt documents
        // that present the specified key name.
        exml.AddKeyNameMapping(KeyName, Alg);

Are developers supposed to inherit from XmlDocumentDecryptor which can then provide it's own implementation. Create a new custom Xml Configuration provider and then forward onto the XmlStreamConfigurationProvider?

The standard decryptor class has a nice helper method to determine if a Xml document has any encrypted elements, but that method is marked as private so it feels like it isn't intended to be inherited.