AzureAD · iNinja · Nov 8, 2024 · Oct 31, 2024 · Oct 31, 2024 · Oct 31, 2024
@@ -30,6 +30,8 @@ static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrame
 static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.IssuerValidationFailed -> System.Diagnostics.StackFrame
 static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.LifetimeValidationFailed -> System.Diagnostics.StackFrame
 static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.OneTimeUseValidationFailed -> System.Diagnostics.StackFrame
+static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.SignatureValidationFailed -> System.Diagnostics.StackFrame
 static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.TokenNull -> System.Diagnostics.StackFrame
 static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.StackFrames.TokenValidationParametersNull -> System.Diagnostics.StackFrame
+static Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ValidateSignature(Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken samlToken, Microsoft.IdentityModel.Tokens.ValidationParameters validationParameters, Microsoft.IdentityModel.Tokens.CallContext callContext) -> Microsoft.IdentityModel.Tokens.ValidationResult<Microsoft.IdentityModel.Tokens.SecurityKey>
 virtual Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidateConditions(Microsoft.IdentityModel.Tokens.Saml.SamlSecurityToken samlToken, Microsoft.IdentityModel.Tokens.ValidationParameters validationParameters, Microsoft.IdentityModel.Tokens.CallContext callContext) -> Microsoft.IdentityModel.Tokens.ValidationResult<Microsoft.IdentityModel.Tokens.Saml.SamlSecurityTokenHandler.ValidatedConditions>
@@ -0,0 +1,168 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Text;
+using Microsoft.IdentityModel.Tokens.Saml;
+using Microsoft.IdentityModel.Xml;
+using TokenLogMessages = Microsoft.IdentityModel.Tokens.LogMessages;
+
+#nullable enable
+namespace Microsoft.IdentityModel.Tokens.Saml2
+{
+    public partial class Saml2SecurityTokenHandler : SecurityTokenHandler
+    {
+        internal static ValidationResult<SecurityKey> ValidateSignature(
+            Saml2SecurityToken samlToken,
+            ValidationParameters validationParameters,
+#pragma warning disable CA1801 // Review unused parameters
+            CallContext callContext)
+#pragma warning restore CA1801 // Review unused parameters
+        {
+            if (samlToken is null)
+            {
+                return ValidationError.NullParameter(
+                    nameof(samlToken),
+                    new StackFrame(true));
+            }
+
+            if (validationParameters is null)
+            {
+                return ValidationError.NullParameter(
+                    nameof(validationParameters),
+                    new StackFrame(true));
+            }
+
+            // Delegate is set by the user, we call it and return the result.
+            if (validationParameters.SignatureValidator is not null)
+                return validationParameters.SignatureValidator(samlToken, validationParameters, null, callContext);
+
+            // If the user wants to accept unsigned tokens, they must implement the delegate
+            if (samlToken.Assertion.Signature is null)
+                return new XmlValidationError(
+                    new MessageDetail(
+                        TokenLogMessages.IDX10504,
+                        samlToken.Assertion.CanonicalString),
+                    ValidationFailureType.SignatureValidationFailed,
+                    typeof(SecurityTokenValidationException),
+                    new StackFrame(true));
+
+            IList<SecurityKey>? keys = null;
+            SecurityKey? resolvedKey = null;
+            bool keyMatched = false;
+
+            if (validationParameters.IssuerSigningKeyResolver is not null)
+            {
+                resolvedKey = validationParameters.IssuerSigningKeyResolver(
+                    samlToken.Assertion.CanonicalString,
+                    samlToken,
+                    samlToken.Assertion.Signature.KeyInfo?.Id,
+                    validationParameters,
+                    null,
+                    callContext);
+            }
+            else
+            {
+                resolvedKey = SamlTokenUtilities.ResolveTokenSigningKey(samlToken.Assertion.Signature.KeyInfo, validationParameters);
+            }
+
+            if (resolvedKey is null)
+            {
+                if (validationParameters.TryAllIssuerSigningKeys)
+                    keys = validationParameters.IssuerSigningKeys;
+            }
+            else
+            {
+                keys = [resolvedKey];
+                keyMatched = true;
+            }
+
+            bool canMatchKey = samlToken.Assertion.Signature.KeyInfo != null;
+            List<ValidationError> errors = new();
+            StringBuilder keysAttempted = new();
+
+            if (keys is not null)
+            {
+                for (int i = 0; i < keys.Count; i++)
+                {
+                    SecurityKey key = keys[i];
+                    ValidationResult<string> algorithmValidationResult = validationParameters.AlgorithmValidator(
+                        samlToken.Assertion.Signature.SignedInfo.SignatureMethod,
+                        key,
+                        samlToken,
+                        validationParameters,
+                        callContext);
+
+                    if (!algorithmValidationResult.IsValid)
+                    {
+                        errors.Add(algorithmValidationResult.UnwrapError());
+                    }
+                    else
+                    {
+                        var validationError = samlToken.Assertion.Signature.Verify(
+                        key,
+                        validationParameters.CryptoProviderFactory ?? key.CryptoProviderFactory,
+                        callContext);
+
+                        if (validationError is null)
+                        {
+                            samlToken.SigningKey = key;
+
+                            return key;
+                        }
+                        else
+                        {
+                            errors.Add(validationError.AddStackFrame(new StackFrame()));
+                        }
+                    }
+
+                    keysAttempted.Append(key.ToString());
+                    if (canMatchKey && !keyMatched && key.KeyId is not null && samlToken.Assertion.Signature.KeyInfo is not null)
+                        keyMatched = samlToken.Assertion.Signature.KeyInfo.MatchesKey(key);
+                }
+            }
+
+            if (canMatchKey && keyMatched)
+                return new XmlValidationError(
+                    new MessageDetail(
+                        TokenLogMessages.IDX10514,
+                        keysAttempted.ToString(),
+                        samlToken.Assertion.Signature.KeyInfo,
+                        GetErrorStrings(errors),
+                        samlToken),
+                    ValidationFailureType.SignatureValidationFailed,
+                    typeof(SecurityTokenInvalidSignatureException),
+                    new StackFrame(true));
+
+            if (keysAttempted.Length > 0)
+                return new XmlValidationError(
+                    new MessageDetail(
+                        TokenLogMessages.IDX10512,
+                        keysAttempted.ToString(),
+                        GetErrorStrings(errors),
+                        samlToken),
+                    ValidationFailureType.SignatureValidationFailed,
+                    typeof(SecurityTokenSignatureKeyNotFoundException),
+                    new StackFrame(true));
+
+            return new XmlValidationError(
+                new MessageDetail(TokenLogMessages.IDX10500),
+                ValidationFailureType.SignatureValidationFailed,
+                typeof(SecurityTokenSignatureKeyNotFoundException),
+                new StackFrame(true));
+        }
+
+        private static string GetErrorStrings(List<ValidationError> errors)
+        {
+            StringBuilder sb = new();
+            for (int i = 0; i < errors.Count; i++)
+            {
+                sb.AppendLine(errors[i].ToString());
+            }
+
+            return sb.ToString();
+        }
+    }
+}
+#nullable restore
@@ -63,6 +63,13 @@ internal async Task<ValidationResult<ValidatedToken>> ValidateTokenAsync(
                 return validatedIssuerResult.UnwrapError().AddStackFrame(StackFrames.IssuerValidationFailed);
             }
 
+            var signatureValidationResult = ValidateSignature(samlToken, validationParameters, callContext);
+            if (!signatureValidationResult.IsValid)
+            {
+                StackFrames.SignatureValidationFailed ??= new StackFrame(true);
+                return signatureValidationResult.UnwrapError().AddStackFrame(StackFrames.SignatureValidationFailed);
+            }
+
             return new ValidatedToken(samlToken, this, validationParameters);
         }
 

@@ -14,12 +14,13 @@ internal static class StackFrames
             // Stack frames from ValidateTokenAsync using SecurityToken
             internal static StackFrame? TokenNull;
             internal static StackFrame? TokenValidationParametersNull;
+            internal static StackFrame? IssuerValidationFailed;
+            internal static StackFrame? SignatureValidationFailed;
 
             // Stack frames from ValidateConditions
             internal static StackFrame? AudienceValidationFailed;
             internal static StackFrame? AssertionNull;
             internal static StackFrame? AssertionConditionsNull;
-            internal static StackFrame? IssuerValidationFailed;
             internal static StackFrame? AssertionConditionsValidationFailed;
             internal static StackFrame? LifetimeValidationFailed;
             internal static StackFrame? OneTimeUseValidationFailed;