Added IssuerSigningKeyValidationError and updated its use within the …

…signing key validation
AzureAD · Nov 20, 2024 · 0e9840a · 0e9840a
1 parent c38aa34
commit 0e9840a
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 10 deletions.
diff --git a/src/Microsoft.IdentityModel.Tokens/InternalAPI.Unshipped.txt b/src/Microsoft.IdentityModel.Tokens/InternalAPI.Unshipped.txt
@@ -11,6 +11,10 @@ Microsoft.IdentityModel.Tokens.AudienceValidationError.TokenAudiences.get -> Sys
 Microsoft.IdentityModel.Tokens.AudienceValidationError.TokenAudiences.set -> void
 Microsoft.IdentityModel.Tokens.AudienceValidationError.ValidAudiences.get -> System.Collections.Generic.IList<string>
 Microsoft.IdentityModel.Tokens.AudienceValidationError.ValidAudiences.set -> void
+Microsoft.IdentityModel.Tokens.IssuerSigningKeyValidationError
+Microsoft.IdentityModel.Tokens.IssuerSigningKeyValidationError.InvalidSigningKey.get -> Microsoft.IdentityModel.Tokens.SecurityKey
+Microsoft.IdentityModel.Tokens.IssuerSigningKeyValidationError.InvalidSigningKey.set -> void
+Microsoft.IdentityModel.Tokens.IssuerSigningKeyValidationError.IssuerSigningKeyValidationError(Microsoft.IdentityModel.Tokens.MessageDetail messageDetail, System.Type exceptionType, System.Diagnostics.StackFrame stackFrame, Microsoft.IdentityModel.Tokens.SecurityKey invalidSigningKey, Microsoft.IdentityModel.Tokens.ValidationFailureType failureType = null, System.Exception innerException = null) -> void
 Microsoft.IdentityModel.Tokens.IssuerValidationError.InvalidIssuer.get -> string
 Microsoft.IdentityModel.Tokens.IssuerValidationError.IssuerValidationError(Microsoft.IdentityModel.Tokens.MessageDetail messageDetail, System.Type exceptionType, System.Diagnostics.StackFrame stackFrame, string invalidIssuer, Microsoft.IdentityModel.Tokens.ValidationFailureType validationFailureType = null, System.Exception innerException = null) -> void
 Microsoft.IdentityModel.Tokens.IssuerValidationSource.IssuerMatchedConfiguration = 1 -> Microsoft.IdentityModel.Tokens.IssuerValidationSource
@@ -34,12 +38,14 @@ Microsoft.IdentityModel.Tokens.ValidationResult<TResult>.Error.get -> Microsoft.
 Microsoft.IdentityModel.Tokens.ValidationResult<TResult>.IsValid.get -> bool
 Microsoft.IdentityModel.Tokens.ValidationResult<TResult>.Result.get -> TResult
 override Microsoft.IdentityModel.Tokens.AlgorithmValidationError.GetException() -> System.Exception
+override Microsoft.IdentityModel.Tokens.IssuerSigningKeyValidationError.GetException() -> System.Exception
 override Microsoft.IdentityModel.Tokens.TokenTypeValidationError.GetException() -> System.Exception
 static Microsoft.IdentityModel.Tokens.AudienceValidationError.AudiencesCountZero -> System.Diagnostics.StackFrame
 static Microsoft.IdentityModel.Tokens.AudienceValidationError.AudiencesNull -> System.Diagnostics.StackFrame
 static Microsoft.IdentityModel.Tokens.AudienceValidationError.ValidateAudienceFailed -> System.Diagnostics.StackFrame
 static Microsoft.IdentityModel.Tokens.AudienceValidationError.ValidationParametersAudiencesCountZero -> System.Diagnostics.StackFrame
 static Microsoft.IdentityModel.Tokens.AudienceValidationError.ValidationParametersNull -> System.Diagnostics.StackFrame
+static Microsoft.IdentityModel.Tokens.IssuerSigningKeyValidationError.NullParameter(string parameterName, System.Diagnostics.StackFrame stackFrame) -> Microsoft.IdentityModel.Tokens.IssuerSigningKeyValidationError
 static Microsoft.IdentityModel.Tokens.Utility.SerializeAsSingleCommaDelimitedString(System.Collections.Generic.IList<string> strings) -> string
 static Microsoft.IdentityModel.Tokens.ValidationError.GetCurrentStackFrame(string filePath = "", int lineNumber = 0, int skipFrames = 1) -> System.Diagnostics.StackFrame
 static readonly Microsoft.IdentityModel.Tokens.ValidationFailureType.IssuerSigningKeyValidatorThrew -> Microsoft.IdentityModel.Tokens.ValidationFailureType

diff --git a/...rosoft.IdentityModel.Tokens/Validation/Results/Details/IssuerSigningKeyValidationError.cs b/...rosoft.IdentityModel.Tokens/Validation/Results/Details/IssuerSigningKeyValidationError.cs
@@ -0,0 +1,52 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+
+using System.Diagnostics;
+using System;
+
+#nullable enable
+namespace Microsoft.IdentityModel.Tokens
+{
+    internal class IssuerSigningKeyValidationError : ValidationError
+    {
+        internal IssuerSigningKeyValidationError(
+            MessageDetail messageDetail,
+            Type exceptionType,
+            StackFrame stackFrame,
+            SecurityKey? invalidSigningKey,
+            ValidationFailureType? failureType = null,
+            Exception? innerException = null)
+            : base(messageDetail, exceptionType, stackFrame, failureType ?? ValidationFailureType.SigningKeyValidationFailed, innerException)
+        {
+            InvalidSigningKey = invalidSigningKey;
+        }
+
+        internal override Exception GetException()
+        {
+            if (ExceptionType == typeof(SecurityTokenInvalidSigningKeyException))
+            {
+                SecurityTokenInvalidSigningKeyException? exception = new(MessageDetail.Message, InnerException)
+                {
+                    SigningKey = InvalidSigningKey
+                };
+                exception.SetValidationError(this);
+
+                return exception;
+            }
+
+            return base.GetException();
+        }
+
+
+        internal static new IssuerSigningKeyValidationError NullParameter(string parameterName, StackFrame stackFrame) => new(
+            MessageDetail.NullParameter(parameterName),
+            typeof(SecurityTokenArgumentNullException),
+            stackFrame,
+            null, // InvalidSigningKey
+            ValidationFailureType.NullArgument);
+
+        protected SecurityKey? InvalidSigningKey { get; set; }
+    }
+}
+#nullable restore
diff --git a/src/Microsoft.IdentityModel.Tokens/Validation/Validators.IssuerSigningKey.cs b/src/Microsoft.IdentityModel.Tokens/Validation/Validators.IssuerSigningKey.cs
@@ -2,7 +2,6 @@
 // Licensed under the MIT License.
 
 using System;
-using System.Diagnostics;
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.IdentityModel.Logging;
 
@@ -57,19 +56,20 @@ internal static ValidationResult<ValidatedSigningKeyLifetime> ValidateIssuerSign
             if (validationParameters == null)
                 return ValidationError.NullParameter(
                     nameof(validationParameters),
-                    new StackFrame(true));
+                    ValidationError.GetCurrentStackFrame());
 
             if (securityKey == null)
-                return new ValidationError(
+                return new IssuerSigningKeyValidationError(
                     new MessageDetail(LogMessages.IDX10253, nameof(securityKey)),
                     typeof(SecurityTokenArgumentNullException),
-                    new StackFrame(true),
+                    ValidationError.GetCurrentStackFrame(),
+                    securityKey,
                     ValidationFailureType.SigningKeyValidationFailed);
 
             if (securityToken == null)
-                return ValidationError.NullParameter(
+                return IssuerSigningKeyValidationError.NullParameter(
                     nameof(securityToken),
-                    new StackFrame(true));
+                    ValidationError.GetCurrentStackFrame());
 
             return ValidateIssuerSigningKeyLifeTime(securityKey, validationParameters, callContext);
         }
@@ -98,27 +98,29 @@ internal static ValidationResult<ValidatedSigningKeyLifetime> ValidateIssuerSign
                 notAfterUtc = cert.NotAfter.ToUniversalTime();
 
                 if (notBeforeUtc > DateTimeUtil.Add(utcNow, validationParameters.ClockSkew))
-                    return new ValidationError(
+                    return new IssuerSigningKeyValidationError(
                         new MessageDetail(
                             LogMessages.IDX10248,
                             LogHelper.MarkAsNonPII(notBeforeUtc),
                             LogHelper.MarkAsNonPII(utcNow)),
                         typeof(SecurityTokenInvalidSigningKeyException),
-                        new StackFrame(true),
+                        ValidationError.GetCurrentStackFrame(),
+                        securityKey,
                         ValidationFailureType.SigningKeyValidationFailed);
 
                 //TODO: Move to CallContext
                 //if (LogHelper.IsEnabled(EventLogLevel.Informational))
                 //    LogHelper.LogInformation(LogMessages.IDX10250, LogHelper.MarkAsNonPII(notBeforeUtc), LogHelper.MarkAsNonPII(utcNow));
 
                 if (notAfterUtc < DateTimeUtil.Add(utcNow, validationParameters.ClockSkew.Negate()))
-                    return new ValidationError(
+                    return new IssuerSigningKeyValidationError(
                         new MessageDetail(
                             LogMessages.IDX10249,
                             LogHelper.MarkAsNonPII(notAfterUtc),
                             LogHelper.MarkAsNonPII(utcNow)),
                         typeof(SecurityTokenInvalidSigningKeyException),
-                        new StackFrame(true),
+                        ValidationError.GetCurrentStackFrame(),
+                        securityKey,
                         ValidationFailureType.SigningKeyValidationFailed);
 
                 // TODO: Move to CallContext