33
44using System ;
55using System . Collections . Generic ;
6+ using System . Diagnostics ;
67using System . Text ;
78using Microsoft . IdentityModel . Logging ;
89using Microsoft . IdentityModel . Tokens ;
@@ -139,6 +140,10 @@ private static ValidationResult<SecurityKey, ValidationError> ValidateSignatureU
139140 StringBuilder ? exceptionStrings = null ;
140141 StringBuilder ? keysAttempted = null ;
141142
143+ // We want to keep track of all stack frames that were used during validation.
144+ // We capture the stack frames and add to the error.
145+ IList < StackFrame > ? stackFrames = null ;
146+
142147 foreach ( SecurityKey key in keys )
143148 {
144149 if ( key is null )
@@ -154,68 +159,94 @@ private static ValidationResult<SecurityKey, ValidationError> ValidateSignatureU
154159 callContext ) ;
155160
156161 if ( result . Succeeded )
162+ {
163+ jwtToken . SigningKey = key ;
157164 return result ;
165+ }
158166
159167 if ( result . Error is ValidationError validationError )
160168 {
169+ stackFrames ??= [ ] ;
170+
171+ foreach ( StackFrame stackFrame in validationError . StackFrames )
172+ stackFrames . Add ( stackFrame ) ;
173+
161174 exceptionStrings ??= new StringBuilder ( ) ;
162175 keysAttempted ??= new StringBuilder ( ) ;
163176 exceptionStrings . AppendLine ( validationError . MessageDetail . Message ) ;
164177 keysAttempted . AppendLine ( key . ToString ( ) ) ;
165178 }
166179 }
167180
181+ StackFrame currentStackFrame = ValidationError . GetCurrentStackFrame ( ) ;
182+ SignatureValidationError signatureValidationError ;
183+ StackFrame firstStackFrame = ( stackFrames == null ) ? currentStackFrame ! : stackFrames [ 0 ] ;
184+
168185 if ( keysTried )
169186 {
170187 if ( kidExists )
171188 {
172- return new SignatureValidationError (
189+ signatureValidationError = new SignatureValidationError (
173190 new MessageDetail (
174191 TokenLogMessages . IDX10522 ,
175192 LogHelper . MarkAsNonPII ( jwtToken . Kid ) ,
176193 LogHelper . MarkAsNonPII ( validationParameters . SigningKeys . Count ) ,
177194 LogHelper . MarkAsNonPII ( configuration ? . SigningKeys ? . Count ?? 0 ) ,
178195 LogHelper . MarkAsSecurityArtifact ( jwtToken . EncodedToken , JwtTokenUtilities . SafeLogJwtToken ) ) ,
179196 SignatureValidationFailure . SigningKeyNotFound ,
180- ValidationError . GetCurrentStackFrame ( ) ) ;
197+ firstStackFrame ) ;
181198 }
182199 else
183200 {
184- return new SignatureValidationError (
201+ signatureValidationError = new SignatureValidationError (
185202 new MessageDetail (
186203 TokenLogMessages . IDX10523 ,
187204 LogHelper . MarkAsNonPII ( validationParameters . SigningKeys . Count ) ,
188205 LogHelper . MarkAsNonPII ( configuration ? . SigningKeys ? . Count ?? 0 ) ,
189206 LogHelper . MarkAsSecurityArtifact ( jwtToken . EncodedToken , JwtTokenUtilities . SafeLogJwtToken ) ) ,
190207 SignatureValidationFailure . SigningKeyNotFound ,
191- ValidationError . GetCurrentStackFrame ( ) ) ;
208+ firstStackFrame ) ;
192209 }
193210 }
194-
195- if ( kidExists )
211+ else if ( kidExists )
196212 {
197213 // No keys were attempted, return the error.
198214 // This is the case where the user specified a kid, but no keys were found.
199215 // This is not an error, but a warning that no keys were found for the specified kid.
200- return new SignatureValidationError (
216+ signatureValidationError = new SignatureValidationError (
201217 new MessageDetail (
202218 TokenLogMessages . IDX10524 ,
203219 LogHelper . MarkAsNonPII ( jwtToken . Kid ) ,
204220 LogHelper . MarkAsNonPII ( validationParameters . SigningKeys . Count ) ,
205221 LogHelper . MarkAsNonPII ( configuration ? . SigningKeys ? . Count ?? 0 ) ,
206222 LogHelper . MarkAsSecurityArtifact ( jwtToken . EncodedToken , JwtTokenUtilities . SafeLogJwtToken ) ) ,
207223 SignatureValidationFailure . SigningKeyNotFound ,
208- ValidationError . GetCurrentStackFrame ( ) ) ;
224+ firstStackFrame ) ;
225+ }
226+ else
227+ {
228+ signatureValidationError = new SignatureValidationError (
229+ new MessageDetail (
230+ TokenLogMessages . IDX10525 ,
231+ LogHelper . MarkAsNonPII ( validationParameters . SigningKeys . Count ) ,
232+ LogHelper . MarkAsNonPII ( configuration ? . SigningKeys ? . Count ?? 0 ) ,
233+ LogHelper . MarkAsSecurityArtifact ( jwtToken . EncodedToken , JwtTokenUtilities . SafeLogJwtToken ) ) ,
234+ SignatureValidationFailure . SigningKeyNotFound ,
235+ firstStackFrame ) ;
209236 }
210237
211- return new SignatureValidationError (
212- new MessageDetail (
213- TokenLogMessages . IDX10525 ,
214- LogHelper . MarkAsNonPII ( validationParameters . SigningKeys . Count ) ,
215- LogHelper . MarkAsNonPII ( configuration ? . SigningKeys ? . Count ?? 0 ) ,
216- LogHelper . MarkAsSecurityArtifact ( jwtToken . EncodedToken , JwtTokenUtilities . SafeLogJwtToken ) ) ,
217- SignatureValidationFailure . SigningKeyNotFound ,
218- ValidationError . GetCurrentStackFrame ( ) ) ;
238+ if ( stackFrames != null )
239+ {
240+ for ( int i = 1 ; i < stackFrames . Count ; i ++ )
241+ {
242+ if ( stackFrames [ i ] != null )
243+ signatureValidationError . StackFrames . Add ( stackFrames [ i ] ) ;
244+ }
245+
246+ signatureValidationError . StackFrames . Add ( currentStackFrame ) ;
247+ }
248+
249+ return signatureValidationError ;
219250 }
220251
221252 private static ValidationResult < SecurityKey , ValidationError > ValidateSignatureWithKey (
@@ -234,7 +265,7 @@ private static ValidationResult<SecurityKey, ValidationError> ValidateSignatureW
234265 TokenLogMessages . IDX10652 ,
235266 LogHelper . MarkAsNonPII ( jsonWebToken . Alg ) ,
236267 key ) ,
237- AlgorithmValidationFailure . AlgorithmIsNotSupported ,
268+ AlgorithmValidationFailure . NotSupported ,
238269 ValidationError . GetCurrentStackFrame ( ) ) ;
239270 }
240271
0 commit comments