From 11e00ceac03a21035ffdb042d9538a09878311f0 Mon Sep 17 00:00:00 2001
From: Andrew Casey <andrew.casey@microsoft.com>
Date: Fri, 1 Mar 2024 10:15:53 -0800
Subject: [PATCH] Ensure key creation time is no later than key activation time

It makes no functional difference, but it was causing confusion.
---
 .../DataProtection/src/KeyManagement/XmlKeyManager.cs        | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/DataProtection/DataProtection/src/KeyManagement/XmlKeyManager.cs b/src/DataProtection/DataProtection/src/KeyManagement/XmlKeyManager.cs
index 57a678e6480b..31b1fc66b4ad 100644
--- a/src/DataProtection/DataProtection/src/KeyManagement/XmlKeyManager.cs
+++ b/src/DataProtection/DataProtection/src/KeyManagement/XmlKeyManager.cs
@@ -135,9 +135,12 @@ internal XmlKeyManager(
     /// <inheritdoc />
     public IKey CreateNewKey(DateTimeOffset activationDate, DateTimeOffset expirationDate)
     {
+        // For an immediately-activated key, the caller's Now may be slightly before ours,
+        // so we'll compensate to ensure that activation is never before creation.
+        var now = DateTimeOffset.UtcNow;
         return _internalKeyManager.CreateNewKey(
             keyId: Guid.NewGuid(),
-            creationDate: DateTimeOffset.UtcNow,
+            creationDate: activationDate < now ? activationDate : now,
             activationDate: activationDate,
             expirationDate: expirationDate);
     }