AzureAD · iNinja · Nov 9, 2024 · Oct 31, 2024 · Oct 31, 2024 · Oct 31, 2024
diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/InternalAPI.Unshipped.txt b/src/Microsoft.IdentityModel.Tokens.Saml/InternalAPI.Unshipped.txt
@@ -30,6 +30,8 @@ static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrame
 static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.IssuerValidationFailed -> System.Diagnostics.StackFrame
 static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.LifetimeValidationFailed -> System.Diagnostics.StackFrame
 static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.OneTimeUseValidationFailed -> System.Diagnostics.StackFrame
+static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.SignatureValidationFailed -> System.Diagnostics.StackFrame
 static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.TokenNull -> System.Diagnostics.StackFrame
 static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.TokenValidationParametersNull -> System.Diagnostics.StackFrame
+static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateSignature(Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken samlToken, Microsoft.IdentityModel.Tokens.ValidationParameters validationParameters, Microsoft.IdentityModel.Tokens.CallContext callContext) -> Microsoft.IdentityModel.Tokens.ValidationResult<Microsoft.IdentityModel.Tokens.SecurityKey>
 virtual Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateConditions(Microsoft.IdentityModel.Tokens.Saml.SamlSecurityToken samlToken, Microsoft.IdentityModel.Tokens.ValidationParameters validationParameters, Microsoft.IdentityModel.Tokens.CallContext callContext) -> Microsoft.IdentityModel.Tokens.ValidationResult<Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidatedConditions>
diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.ValidateSignature.cs b/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.ValidateSignature.cs
@@ -2,7 +2,6 @@
 // Licensed under the MIT License.
 
 using System.Collections.Generic;
-using System.Diagnostics;
 using System.Text;
 using Microsoft.IdentityModel.Xml;
 using TokenLogMessages = Microsoft.IdentityModel.Tokens.LogMessages;
@@ -23,14 +22,14 @@ internal static ValidationResult<SecurityKey> ValidateSignature(
             {
                 return ValidationError.NullParameter(
                     nameof(samlToken),
-                    new StackFrame(true));
+                    ValidationError.GetCurrentStackFrame());
             }
 
             if (validationParameters is null)
             {
                 return ValidationError.NullParameter(
                     nameof(validationParameters),
-                    new StackFrame(true));
+                    ValidationError.GetCurrentStackFrame());
             }
 
             // Delegate is set by the user, we call it and return the result.
@@ -45,7 +44,7 @@ internal static ValidationResult<SecurityKey> ValidateSignature(
                         samlToken.Assertion.CanonicalString),
                     ValidationFailureType.SignatureValidationFailed,
                     typeof(SecurityTokenValidationException),
-                    new StackFrame(true));
+                    ValidationError.GetCurrentStackFrame());
 
             IList<SecurityKey>? keys = null;
             SecurityKey? resolvedKey = null;
@@ -66,57 +65,40 @@ internal static ValidationResult<SecurityKey> ValidateSignature(
                 resolvedKey = SamlTokenUtilities.ResolveTokenSigningKey(samlToken.Assertion.Signature.KeyInfo, validationParameters);
             }
 
-            if (resolvedKey is null)
+            bool canMatchKey = samlToken.Assertion.Signature.KeyInfo != null;
+            List<ValidationError>? errors = null;
+            ValidationError? error = null;
+            StringBuilder? keysAttempted = null;
+
+            if (resolvedKey is not null)
             {
-                if (validationParameters.TryAllIssuerSigningKeys)
-                    keys = validationParameters.IssuerSigningKeys;
+                keyMatched = true;
+                var result = ValidateSignatureUsingKey(resolvedKey, samlToken, validationParameters, callContext);
+                if (result.IsValid)
+                    return result;
+
+                error = result.UnwrapError();
             }
             else
             {
-                keys = [resolvedKey];
-                keyMatched = true;
+                if (validationParameters.TryAllIssuerSigningKeys)
+                    keys = validationParameters.IssuerSigningKeys;
             }
 
-            bool canMatchKey = samlToken.Assertion.Signature.KeyInfo != null;
-            List<ValidationError> errors = new();
-            StringBuilder keysAttempted = new();
-
             if (keys is not null)
             {
+                // Control reaches here only if the key could not be resolved and TryAllIssuerSigningKeys is set to true.
+                // We try all the keys in the list and return the first valid key. This is the degenerate case.
                 for (int i = 0; i < keys.Count; i++)
                 {
                     SecurityKey key = keys[i];
-                    ValidationResult<string> algorithmValidationResult = validationParameters.AlgorithmValidator(
-                        samlToken.Assertion.Signature.SignedInfo.SignatureMethod,
-                        key,
-                        samlToken,
-                        validationParameters,
-                        callContext);
+                    var result = ValidateSignatureUsingKey(key, samlToken, validationParameters, callContext);
+                    if (result.IsValid)
+                        return result;
 
-                    if (!algorithmValidationResult.IsValid)
-                    {
-                        errors.Add(algorithmValidationResult.UnwrapError());
-                    }
-                    else
-                    {
-                        var validationError = samlToken.Assertion.Signature.Verify(
-                        key,
-                        validationParameters.CryptoProviderFactory ?? key.CryptoProviderFactory,
-                        callContext);
-
-                        if (validationError is null)
-                        {
-                            samlToken.SigningKey = key;
-
-                            return key;
-                        }
-                        else
-                        {
-                            errors.Add(validationError.AddStackFrame(new StackFrame()));
-                        }
-                    }
+                    (errors ??= new()).Add(result.UnwrapError());
 
-                    keysAttempted.Append(key.ToString());
+                    (keysAttempted ??= new()).Append(key.ToString());
                     if (canMatchKey && !keyMatched && key.KeyId is not null && samlToken.Assertion.Signature.KeyInfo is not null)
                         keyMatched = samlToken.Assertion.Signature.KeyInfo.MatchesKey(key);
                 }
@@ -126,38 +108,88 @@ internal static ValidationResult<SecurityKey> ValidateSignature(
                 return new XmlValidationError(
                     new MessageDetail(
                         TokenLogMessages.IDX10514,
-                        keysAttempted.ToString(),
+                        keysAttempted?.ToString(),
                         samlToken.Assertion.Signature.KeyInfo,
-                        GetErrorStrings(errors),
+                        GetErrorStrings(error, errors),
                         samlToken),
                     ValidationFailureType.SignatureValidationFailed,
                     typeof(SecurityTokenInvalidSignatureException),
-                    new StackFrame(true));
+                    ValidationError.GetCurrentStackFrame());
 
-            if (keysAttempted.Length > 0)
+            string? keysAttemptedString = null;
+            if (resolvedKey is not null)
+                keysAttemptedString = resolvedKey.ToString();
+            else if ((keysAttempted?.Length ?? 0) > 0)
+                keysAttemptedString = keysAttempted!.ToString();
+
+            if (keysAttemptedString is not null)
                 return new XmlValidationError(
                     new MessageDetail(
                         TokenLogMessages.IDX10512,
-                        keysAttempted.ToString(),
-                        GetErrorStrings(errors),
+                        keysAttemptedString,
+                        GetErrorStrings(error, errors),
                         samlToken),
                     ValidationFailureType.SignatureValidationFailed,
                     typeof(SecurityTokenSignatureKeyNotFoundException),
-                    new StackFrame(true));
+                    ValidationError.GetCurrentStackFrame());
 
             return new XmlValidationError(
                 new MessageDetail(TokenLogMessages.IDX10500),
                 ValidationFailureType.SignatureValidationFailed,
                 typeof(SecurityTokenSignatureKeyNotFoundException),
-                new StackFrame(true));
+                ValidationError.GetCurrentStackFrame());
+        }
+
+        private static ValidationResult<SecurityKey> ValidateSignatureUsingKey(SecurityKey key, SamlSecurityToken samlToken, ValidationParameters validationParameters, CallContext callContext)
+        {
+            ValidationResult<string> algorithmValidationResult = validationParameters.AlgorithmValidator(
+                        samlToken.Assertion.Signature.SignedInfo.SignatureMethod,
+                        key,
+                        samlToken,
+                        validationParameters,
+                        callContext);
+
+            if (!algorithmValidationResult.IsValid)
+            {
+                return algorithmValidationResult.UnwrapError().AddCurrentStackFrame();
+            }
+            else
+            {
+                var validationError = samlToken.Assertion.Signature.Verify(
+                key,
+                validationParameters.CryptoProviderFactory ?? key.CryptoProviderFactory,
+                callContext);
+
+                if (validationError is null)
+                {
+                    samlToken.SigningKey = key;
+
+                    return key;
+                }
+                else
+                {
+                    return validationError.AddCurrentStackFrame();
+                }
+            }
         }
 
-        private static string GetErrorStrings(List<ValidationError> errors)
+        private static string GetErrorStrings(ValidationError? error, List<ValidationError>? errors)
         {
+            // This method is called if there are errors in the signature validation process.
+            // This check is there to account for the optional parameter.
+            if (error is not null)
+                return error.MessageDetail.Message;
+
+            if (errors is null)
+                return string.Empty;
+
+            if (errors.Count == 1)
+                return errors[0].MessageDetail.Message;
+
             StringBuilder sb = new();
             for (int i = 0; i < errors.Count; i++)
             {
-                sb.AppendLine(errors[i].ToString());
+                sb.AppendLine(errors[i].MessageDetail.Message);
             }
 
             return sb.ToString();