Revert some stackalloc conditions

src/JsonWebToken/Cryptography/AesCbcHmacDecryptor.cs

@@ -74,9 +74,9 @@ private bool VerifyAuthenticationTag(ReadOnlySpan<byte> key, ReadOnlySpan<byte>
         {
             byte[]? byteArrayToReturnToPool = null;
             int macLength = associatedData.Length + iv.Length + ciphertext.Length + sizeof(long);
-            Span<byte> macBytes = macLength <= Constants.MaxStackallocBytes
-                                    ? stackalloc byte[Constants.MaxStackallocBytes]
-                                    : (byteArrayToReturnToPool = ArrayPool<byte>.Shared.Rent(macLength));
+            Span<byte> macBytes = macLength > Constants.MaxStackallocBytes
+                                    ? (byteArrayToReturnToPool = ArrayPool<byte>.Shared.Rent(macLength))
+                                    : stackalloc byte[Constants.MaxStackallocBytes];
             try
             {
                 macBytes = macBytes.Slice(0, macLength);
@@ -89,9 +89,11 @@ private bool VerifyAuthenticationTag(ReadOnlySpan<byte> key, ReadOnlySpan<byte>
                 BinaryPrimitives.WriteInt64BigEndian(bytes, associatedData.Length << 3);
 
                 Sha2 hashAlgorithm = _encryptionAlgorithm.SignatureAlgorithm.Sha;
-                Span<byte> hmacKey = stackalloc byte[Sha2.BlockSizeStackallocThreshold * 2].Slice(0, hashAlgorithm.BlockSize * 2); 
+                Span<byte> hmacKey = stackalloc byte[Sha2.BlockSizeStackallocThreshold * 2]
+                    .Slice(0, hashAlgorithm.BlockSize * 2); 
                 Hmac hmac = new Hmac(hashAlgorithm, key, hmacKey);
-                Span<byte> hash = stackalloc byte[AuthenticatedEncryptor.TagSizeStackallocThreshold].Slice(0, authenticationTag.Length * 2);
+                Span<byte> hash = stackalloc byte[AuthenticatedEncryptor.TagSizeStackallocThreshold]
+                    .Slice(0, authenticationTag.Length * 2);
                 hmac.ComputeHash(macBytes, hash);
                 CryptographicOperations.ZeroMemory(hmacKey);
 

src/JsonWebToken/Cryptography/AesCbcHmacEncryptor.cs

@@ -89,9 +89,9 @@ private void ComputeAuthenticationTag(ReadOnlySpan<byte> key, ReadOnlySpan<byte>
             try
             {
                 int macLength = associatedData.Length + iv.Length + ciphertext.Length + sizeof(long);
-                Span<byte> macBytes = macLength <= Constants.MaxStackallocBytes
-                    ? stackalloc byte[Constants.MaxStackallocBytes]
-                    : (arrayToReturnToPool = ArrayPool<byte>.Shared.Rent(macLength));
+                Span<byte> macBytes = macLength > Constants.MaxStackallocBytes
+                    ? (arrayToReturnToPool = ArrayPool<byte>.Shared.Rent(macLength))
+                    : stackalloc byte[Constants.MaxStackallocBytes];
 
                 associatedData.CopyTo(macBytes);
                 var bytes = macBytes.Slice(associatedData.Length);

src/JsonWebToken/Cryptography/Pbes2KeyUnwrapper.cs

@@ -59,9 +59,9 @@ public override bool TryUnwrapKey(ReadOnlySpan<byte> keyBytes, Span<byte> destin
 
             int saltLength = p2sLength + 1 + _algorithmNameLength;
             byte[]? saltArray = null;
-            Span<byte> salt = saltLength <= Pbkdf2.SaltSizeThreshold + 18 + 1
-                                ? stackalloc byte[Pbkdf2.SaltSizeThreshold + 18 + 1]
-                                : (saltArray = ArrayPool<byte>.Shared.Rent(saltLength));
+            Span<byte> salt = saltLength > Pbkdf2.SaltSizeThreshold + 18 + 1
+                                ? (saltArray = ArrayPool<byte>.Shared.Rent(saltLength))
+                                : stackalloc byte[Pbkdf2.SaltSizeThreshold + 18 + 1];
             try
             {
                 salt = salt.Slice(0, saltLength);

src/JsonWebToken/Cryptography/Pbkdf2.cs

@@ -36,8 +36,8 @@ public static void DeriveKey(byte[] password, ReadOnlySpan<byte> salt, Sha2 prf,
                 saltWithBlockIndex = saltWithBlockIndex.Slice(0, saltWithBlockLength);
                 salt.CopyTo(saltWithBlockIndex);
 
-                Span<byte> hmacKey = stackalloc byte[Sha2.BlockSizeStackallocThreshold * 2].Slice(0, prf.BlockSize * 2);
-                var hashAlgorithm = new Hmac(prf, password, hmacKey);
+                Span<byte> hmacKey = stackalloc byte[Sha2.BlockSizeStackallocThreshold * 2];
+                var hashAlgorithm = new Hmac(prf, password, hmacKey.Slice(0, prf.BlockSize * 2));
 
                 int wSize = prf.GetWorkingSetSize(int.MaxValue);
                 int blockSize = hashAlgorithm.BlockSize;

src/JsonWebToken/Jwk.cs

@@ -826,9 +826,9 @@ public static Jwk FromJson(string json)
             try
             {
                 int length = Utf8.GetMaxByteCount(json.Length);
-                Span<byte> jsonSpan = length <= Constants.MaxStackallocBytes
-                            ? stackalloc byte[Constants.MaxStackallocBytes]
-                            : (jsonToReturn = ArrayPool<byte>.Shared.Rent(length));
+                Span<byte> jsonSpan = length > Constants.MaxStackallocBytes
+                            ? (jsonToReturn = ArrayPool<byte>.Shared.Rent(length))
+                            : stackalloc byte[Constants.MaxStackallocBytes];
                 length = Utf8.GetBytes(json, jsonSpan);
                 jsonSpan = jsonSpan.Slice(0, length);
                 var reader = new Utf8JsonReader(jsonSpan, true, default);
@@ -1468,8 +1468,8 @@ public virtual void WriteTo(Utf8JsonWriter writer)
             {
                 byte[]? array = null;
                 Span<byte> buffer = _x5t.Length == 20
-                                        ? stackalloc byte[27] // 27 = Base64Url.GetArraySizeRequiredToEncode(20)
-                                        : ArrayPool<byte>.Shared.Rent(27);
+                                        ? stackalloc byte[27] // 27 =  Base64Url.GetArraySizeRequiredToEncode(20)
+                                        : ArrayPool<byte>.Shared.Rent(Base64Url.GetArraySizeRequiredToEncode(_x5t.Length));
                 try
                 {
                     int bytesWritten = Base64Url.Encode(_x5t, buffer);
@@ -1489,7 +1489,7 @@ public virtual void WriteTo(Utf8JsonWriter writer)
                 byte[]? array = null;
                 Span<byte> buffer = _x5tS256.Length == 32
                                         ? stackalloc byte[43] // 43 = Base64Url.GetArraySizeRequiredToEncode(32)
-                                        : ArrayPool<byte>.Shared.Rent(43);
+                                        : ArrayPool<byte>.Shared.Rent(Base64Url.GetArraySizeRequiredToEncode(_x5tS256.Length));
                 try
                 {
                     int bytesWritten = Base64Url.Encode(_x5tS256, buffer);

src/JsonWebToken/Jwks.cs

@@ -512,9 +512,9 @@ public static Jwks FromJson(string issuer, string json)
             try
             {
                 int length = Utf8.GetMaxByteCount(json.Length);
-                Span<byte> jsonSpan = length <= Constants.MaxStackallocBytes
-                            ? stackalloc byte[Constants.MaxStackallocBytes]
-                            : (jsonToReturn = ArrayPool<byte>.Shared.Rent(length));
+                Span<byte> jsonSpan = length > Constants.MaxStackallocBytes
+                            ? (jsonToReturn = ArrayPool<byte>.Shared.Rent(length))
+                            : stackalloc byte[Constants.MaxStackallocBytes];
                 length = Utf8.GetBytes(json, jsonSpan);
                 return FromJson(issuer, jsonSpan.Slice(0, length));
             }

src/JsonWebToken/Reader/Jwt.cs

@@ -131,9 +131,9 @@ public static bool TryParse(string token, TokenValidationPolicy policy, out Jwt
             }
 
             byte[]? utf8ArrayToReturnToPool = null;
-            var utf8Token = length <= Constants.MaxStackallocBytes
-                  ? stackalloc byte[Constants.MaxStackallocBytes]
-                  : (utf8ArrayToReturnToPool = ArrayPool<byte>.Shared.Rent(length));
+            var utf8Token = length > Constants.MaxStackallocBytes
+                  ? (utf8ArrayToReturnToPool = ArrayPool<byte>.Shared.Rent(length))
+                  : stackalloc byte[Constants.MaxStackallocBytes];
             try
             {
                 int bytesWritten = Utf8.GetBytes(token, utf8Token);
@@ -509,9 +509,9 @@ private static bool TryDecryptToken(
             int headerLength = rawHeader.Length;
             int bufferLength = ciphertextLength + headerLength + initializationVectorLength + authenticationTagLength;
             byte[]? arrayToReturn = null;
-            Span<byte> buffer = bufferLength < Constants.MaxStackallocBytes
-                ? stackalloc byte[Constants.MaxStackallocBytes]
-                : (arrayToReturn = ArrayPool<byte>.Shared.Rent(bufferLength));
+            Span<byte> buffer = bufferLength > Constants.MaxStackallocBytes
+                ? (arrayToReturn = ArrayPool<byte>.Shared.Rent(bufferLength))
+                : stackalloc byte[Constants.MaxStackallocBytes];
 
             Span<byte> ciphertext = buffer.Slice(0, ciphertextLength);
             Span<byte> header = buffer.Slice(ciphertextLength, headerLength);
@@ -526,10 +526,10 @@ private static bool TryDecryptToken(
                 try
                 {
                     int utf8HeaderLength = Utf8.GetMaxCharCount(header.Length);
-                    Span<char> utf8Header = utf8HeaderLength < Constants.MaxStackallocChars
-                        ? stackalloc char[Constants.MaxStackallocChars]
-                        : (headerArrayToReturn = ArrayPool<char>.Shared.Rent(utf8HeaderLength));
-
+                    Span<char> utf8Header = utf8HeaderLength > Constants.MaxStackallocChars
+                        ? (headerArrayToReturn = ArrayPool<char>.Shared.Rent(utf8HeaderLength))
+                        : stackalloc char[Constants.MaxStackallocChars];
+                    
                     utf8HeaderLength = Utf8.GetChars(rawHeader, utf8Header);
                     Ascii.GetBytes(utf8Header.Slice(0, utf8HeaderLength), header);
                 }
@@ -593,9 +593,9 @@ private static bool TryGetContentEncryptionKeys(JwtHeaderDocument header, ReadOn
 
                     byte[]? encryptedKeyToReturnToPool = null;
                     const int KeySizeThreshold = 72;
-                    Span<byte> encryptedKey = decodedSize <= KeySizeThreshold ?
-                        stackalloc byte[KeySizeThreshold] :
-                        encryptedKeyToReturnToPool = ArrayPool<byte>.Shared.Rent(decodedSize);
+                    Span<byte> encryptedKey = decodedSize > KeySizeThreshold
+                        ? encryptedKeyToReturnToPool = ArrayPool<byte>.Shared.Rent(decodedSize)
+                        : stackalloc byte[KeySizeThreshold];
 
                     try
                     {

src/JsonWebToken/Reader/SignatureValidationPolicy.cs

@@ -147,9 +147,9 @@ public override bool TryValidateSignature(JwtHeaderDocument header, JwtPayloadDo
                 try
                 {
                     int signatureBytesLength = Base64Url.GetArraySizeRequiredToDecode(signatureSegment.Length);
-                    Span<byte> signatureBytes = signatureBytesLength <= Constants.MaxStackallocBytes
-                            ? stackalloc byte[Constants.MaxStackallocBytes]
-                            : (signatureToReturn = ArrayPool<byte>.Shared.Rent(signatureBytesLength));
+                    Span<byte> signatureBytes = signatureBytesLength > Constants.MaxStackallocBytes
+                            ? (signatureToReturn = ArrayPool<byte>.Shared.Rent(signatureBytesLength))
+                            : stackalloc byte[Constants.MaxStackallocBytes];
 
                     if (Base64Url.Decode(signatureSegment, signatureBytes, out _, out int bytesWritten) != OperationStatus.Done)
                     {

src/JsonWebToken/Writer/JweDescriptor`1.cs

@@ -157,9 +157,9 @@ protected void EncryptToken(ReadOnlySpan<byte> payload, EncodingContext context)
                 byte[]? buffer64HeaderToReturnToPool = null;
                 byte[]? arrayCiphertextToReturnToPool = null;
                 int keyWrapSize = keyWrapper.GetKeyWrapSize();
-                Span<byte> wrappedKey = keyWrapSize <= KeyWrapper.WrappedKeySizeStackallocThreshold ?
-                    stackalloc byte[KeyWrapper.WrappedKeySizeStackallocThreshold] :
-                    wrappedKeyToReturnToPool = ArrayPool<byte>.Shared.Rent(keyWrapSize);
+                Span<byte> wrappedKey = keyWrapSize > KeyWrapper.WrappedKeySizeStackallocThreshold ?
+                    wrappedKeyToReturnToPool = ArrayPool<byte>.Shared.Rent(keyWrapSize) :
+                    stackalloc byte[KeyWrapper.WrappedKeySizeStackallocThreshold];
                 wrappedKey = wrappedKey.Slice(0, keyWrapSize);
                 var cek = keyWrapper.WrapKey(null, header, wrappedKey);
 

src/JsonWebToken/Writer/JwsDescriptor.cs

@@ -149,9 +149,9 @@ public override void Encode(EncodingContext context)
                 offset += Base64Url.Encode(bufferWriter.WrittenSpan.Slice(0, payloadLength), buffer.Slice(offset));
                 buffer[offset] = Constants.ByteDot;
                 byte[]? signatureArray = null;
-                Span<byte> signature = signer.HashSizeInBytes <= Signer.SignatureStackallocThreshold
-                                        ? stackalloc byte[Signer.SignatureStackallocThreshold]
-                                        : (signatureArray = ArrayPool<byte>.Shared.Rent(signer.HashSizeInBytes));
+                Span<byte> signature = signer.HashSizeInBytes > Signer.SignatureStackallocThreshold
+                                        ? (signatureArray = ArrayPool<byte>.Shared.Rent(signer.HashSizeInBytes))
+                                        : stackalloc byte[Signer.SignatureStackallocThreshold];
                 signature = signature.Slice(0, signer.HashSizeInBytes);
                 try
                 {