diff --git a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.CreateToken.cs b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.CreateToken.cs index c05ec8bce1..30adf794ec 100644 --- a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.CreateToken.cs +++ b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.CreateToken.cs @@ -1274,7 +1274,10 @@ internal static string EncryptToken(byte[] innerTokenUtf8Bytes, SecurityTokenDes } catch (Exception ex) { - throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10616, LogHelper.MarkAsNonPII(encryptingCredentials.Enc), encryptingCredentials.Key), ex)); + throw LogHelper.LogExceptionMessage( + new SecurityTokenEncryptionFailedException( + LogHelper.FormatInvariant(TokenLogMessages.IDX10616, LogHelper.MarkAsNonPII(encryptingCredentials.Enc), LogHelper.MarkAsNonPII(encryptingCredentials.Key.KeyId)), + ex)); } } } @@ -1296,13 +1299,13 @@ internal IEnumerable GetContentEncryptionKeys(JsonWebToken jwtToken if (key != null) { if (LogHelper.IsEnabled(EventLogLevel.Informational)) - LogHelper.LogInformation(TokenLogMessages.IDX10904, key); + LogHelper.LogInformation(TokenLogMessages.IDX10904, LogHelper.MarkAsNonPII(key.KeyId)); } else if (configuration != null) { key = ResolveTokenDecryptionKeyFromConfig(jwtToken, configuration); if (key != null && LogHelper.IsEnabled(EventLogLevel.Informational)) - LogHelper.LogInformation(TokenLogMessages.IDX10905, key); + LogHelper.LogInformation(TokenLogMessages.IDX10905, LogHelper.MarkAsNonPII(key.KeyId)); } if (key != null) @@ -1383,13 +1386,19 @@ internal IEnumerable GetContentEncryptionKeys(JsonWebToken jwtToken (exceptionStrings ??= new StringBuilder()).AppendLine(ex.ToString()); } - (keysAttempted ??= new StringBuilder()).AppendLine(key.ToString()); + (keysAttempted ??= new StringBuilder()).AppendLine(key.KeyId); } if (unwrappedKeys.Count > 0 || exceptionStrings is null) return unwrappedKeys; else - throw LogHelper.LogExceptionMessage(new SecurityTokenKeyWrapException(LogHelper.FormatInvariant(TokenLogMessages.IDX10618, (object)keysAttempted ?? "", (object)exceptionStrings ?? "", jwtToken))); + throw LogHelper.LogExceptionMessage( + new SecurityTokenKeyWrapException( + LogHelper.FormatInvariant( + TokenLogMessages.IDX10618, + LogHelper.MarkAsNonPII((object)keysAttempted ?? ""), + LogHelper.MarkAsNonPII((object)exceptionStrings ?? ""), + jwtToken))); } } } diff --git a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs index 4ca9467379..2f63413798 100644 --- a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs +++ b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.DecryptToken.cs @@ -196,7 +196,7 @@ internal ValidationResult DecryptToken( (exceptionStrings ??= new StringBuilder()).AppendLine(ex.ToString()); } - (keysAttempted ??= new StringBuilder()).AppendLine(key.ToString()); + (keysAttempted ??= new StringBuilder()).AppendLine(key.KeyId); } if (unwrappedKeys.Count > 0 || exceptionStrings is null) @@ -206,7 +206,7 @@ internal ValidationResult DecryptToken( ValidationError validationError = new( new MessageDetail( TokenLogMessages.IDX10618, - keysAttempted?.ToString() ?? "", + LogHelper.MarkAsNonPII(keysAttempted?.ToString() ?? ""), exceptionStrings?.ToString() ?? "", LogHelper.MarkAsSecurityArtifact(jwtToken, JwtTokenUtilities.SafeLogJwtToken)), ValidationFailureType.TokenDecryptionFailed, diff --git a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateSignature.cs b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateSignature.cs index 61cc6e4952..0b425260ea 100644 --- a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateSignature.cs +++ b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateSignature.cs @@ -297,7 +297,7 @@ private static ValidationResult ValidateSignatureWithKey( return new SignatureValidationError( new MessageDetail( TokenLogMessages.IDX10636, - key?.ToString() ?? "Null", + LogHelper.MarkAsNonPII(key?.KeyId ?? "Null"), LogHelper.MarkAsNonPII(jsonWebToken.Alg)), ValidationFailureType.SignatureValidationFailed, typeof(SecurityTokenInvalidOperationException), diff --git a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateToken.cs b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateToken.cs index d01751bd4c..203a13339f 100644 --- a/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateToken.cs +++ b/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateToken.cs @@ -320,7 +320,7 @@ internal static bool ValidateSignature(JsonWebToken jsonWebToken, SecurityKey ke if (!cryptoProviderFactory.IsSupportedAlgorithm(jsonWebToken.Alg, key)) { if (LogHelper.IsEnabled(EventLogLevel.Informational)) - LogHelper.LogInformation(LogMessages.IDX14000, LogHelper.MarkAsNonPII(jsonWebToken.Alg), key); + LogHelper.LogInformation(LogMessages.IDX14000, LogHelper.MarkAsNonPII(jsonWebToken.Alg), LogHelper.MarkAsNonPII(key.KeyId)); return false; } @@ -330,7 +330,12 @@ internal static bool ValidateSignature(JsonWebToken jsonWebToken, SecurityKey ke try { if (signatureProvider == null) - throw LogHelper.LogExceptionMessage(new InvalidOperationException(LogHelper.FormatInvariant(TokenLogMessages.IDX10636, key == null ? "Null" : key.ToString(), LogHelper.MarkAsNonPII(jsonWebToken.Alg)))); + throw LogHelper.LogExceptionMessage + (new InvalidOperationException( + LogHelper.FormatInvariant( + TokenLogMessages.IDX10636, + LogHelper.MarkAsNonPII(key == null ? "Null" : key.KeyId), + LogHelper.MarkAsNonPII(jsonWebToken.Alg)))); return EncodingUtils.PerformEncodingDependentOperation( jsonWebToken.EncodedToken, diff --git a/src/Microsoft.IdentityModel.JsonWebTokens/JwtTokenUtilities.DecryptTokenResult.cs b/src/Microsoft.IdentityModel.JsonWebTokens/JwtTokenUtilities.DecryptTokenResult.cs index 82a416b751..a1165159bd 100644 --- a/src/Microsoft.IdentityModel.JsonWebTokens/JwtTokenUtilities.DecryptTokenResult.cs +++ b/src/Microsoft.IdentityModel.JsonWebTokens/JwtTokenUtilities.DecryptTokenResult.cs @@ -94,7 +94,7 @@ internal static ValidationResult DecryptJwtToken( } if (key != null) - (keysAttempted ??= new StringBuilder()).AppendLine(key.ToString()); + (keysAttempted ??= new StringBuilder()).AppendLine(key.KeyId); } if (!decryptionSucceeded) diff --git a/src/Microsoft.IdentityModel.JsonWebTokens/JwtTokenUtilities.cs b/src/Microsoft.IdentityModel.JsonWebTokens/JwtTokenUtilities.cs index 02eb40bce4..f4f8ceb558 100644 --- a/src/Microsoft.IdentityModel.JsonWebTokens/JwtTokenUtilities.cs +++ b/src/Microsoft.IdentityModel.JsonWebTokens/JwtTokenUtilities.cs @@ -73,7 +73,12 @@ public static string CreateEncodedSignature(string input, SigningCredentials sig var cryptoProviderFactory = signingCredentials.CryptoProviderFactory ?? signingCredentials.Key.CryptoProviderFactory; var signatureProvider = cryptoProviderFactory.CreateForSigning(signingCredentials.Key, signingCredentials.Algorithm); if (signatureProvider == null) - throw LogHelper.LogExceptionMessage(new InvalidOperationException(LogHelper.FormatInvariant(TokenLogMessages.IDX10637, signingCredentials.Key == null ? "Null" : signingCredentials.Key.ToString(), LogHelper.MarkAsNonPII(signingCredentials.Algorithm)))); + throw LogHelper.LogExceptionMessage( + new InvalidOperationException( + LogHelper.FormatInvariant( + TokenLogMessages.IDX10637, + LogHelper.MarkAsNonPII(signingCredentials.Key == null ? "Null" : signingCredentials.Key.KeyId), + LogHelper.MarkAsNonPII(signingCredentials.Algorithm)))); try { @@ -105,7 +110,12 @@ public static string CreateEncodedSignature(string input, SigningCredentials sig var cryptoProviderFactory = signingCredentials.CryptoProviderFactory ?? signingCredentials.Key.CryptoProviderFactory; var signatureProvider = cryptoProviderFactory.CreateForSigning(signingCredentials.Key, signingCredentials.Algorithm, cacheProvider); if (signatureProvider == null) - throw LogHelper.LogExceptionMessage(new InvalidOperationException(LogHelper.FormatInvariant(TokenLogMessages.IDX10637, signingCredentials.Key == null ? "Null" : signingCredentials.Key.ToString(), LogHelper.MarkAsNonPII(signingCredentials.Algorithm)))); + throw LogHelper.LogExceptionMessage( + new InvalidOperationException( + LogHelper.FormatInvariant( + TokenLogMessages.IDX10637, + LogHelper.MarkAsNonPII(signingCredentials.Key == null ? "Null" : signingCredentials.Key.KeyId), + LogHelper.MarkAsNonPII(signingCredentials.Algorithm)))); try { @@ -138,7 +148,7 @@ internal static byte[] CreateEncodedSignature( new InvalidOperationException( LogHelper.FormatInvariant( TokenLogMessages.IDX10637, - signingCredentials.Key == null ? "Null" : signingCredentials.Key.ToString(), + LogHelper.MarkAsNonPII(signingCredentials.Key == null ? "Null" : signingCredentials.Key.KeyId), LogHelper.MarkAsNonPII(signingCredentials.Algorithm)))); try @@ -179,7 +189,8 @@ internal static bool CreateSignature( throw LogHelper.LogExceptionMessage( new InvalidOperationException( LogHelper.FormatInvariant( - TokenLogMessages.IDX10637, signingCredentials.Key == null ? "Null" : signingCredentials.Key.ToString(), + TokenLogMessages.IDX10637, + LogHelper.MarkAsNonPII(signingCredentials.Key == null ? "Null" : signingCredentials.Key.KeyId), LogHelper.MarkAsNonPII(signingCredentials.Algorithm)))); try @@ -257,7 +268,7 @@ internal static string DecryptJwtToken( if (cryptoProviderFactory == null) { if (LogHelper.IsEnabled(EventLogLevel.Warning)) - LogHelper.LogWarning(TokenLogMessages.IDX10607, key); + LogHelper.LogWarning(TokenLogMessages.IDX10607, LogHelper.MarkAsNonPII(key.KeyId)); continue; } @@ -273,7 +284,7 @@ internal static string DecryptJwtToken( if (!cryptoProviderFactory.IsSupportedAlgorithm(jsonWebToken.Enc, key)) { if (LogHelper.IsEnabled(EventLogLevel.Warning)) - LogHelper.LogWarning(TokenLogMessages.IDX10611, LogHelper.MarkAsNonPII(decryptionParameters.Enc), key); + LogHelper.LogWarning(TokenLogMessages.IDX10611, LogHelper.MarkAsNonPII(decryptionParameters.Enc), LogHelper.MarkAsNonPII(key.KeyId)); algorithmNotSupportedByCryptoProvider = true; continue; @@ -299,7 +310,7 @@ internal static string DecryptJwtToken( if (!cryptoProviderFactory.IsSupportedAlgorithm(decryptionParameters.Enc, key)) { if (LogHelper.IsEnabled(EventLogLevel.Warning)) - LogHelper.LogWarning(TokenLogMessages.IDX10611, LogHelper.MarkAsNonPII(decryptionParameters.Enc), key); + LogHelper.LogWarning(TokenLogMessages.IDX10611, LogHelper.MarkAsNonPII(decryptionParameters.Enc), LogHelper.MarkAsNonPII(key.KeyId)); algorithmNotSupportedByCryptoProvider = true; continue; @@ -326,7 +337,7 @@ internal static string DecryptJwtToken( } if (key != null) - (keysAttempted ??= new StringBuilder()).AppendLine(key.ToString()); + (keysAttempted ??= new StringBuilder()).AppendLine(key.KeyId); } if (!decryptionSucceeded) @@ -367,7 +378,7 @@ private static ValidationError GetDecryptionError( return new ValidationError( new MessageDetail( TokenLogMessages.IDX10603, - keysAttempted.ToString(), + LogHelper.MarkAsNonPII(keysAttempted.ToString()), exceptionStrings?.ToString() ?? string.Empty, LogHelper.MarkAsSecurityArtifact(decryptionParameters.EncodedToken, SafeLogJwtToken)), ValidationFailureType.TokenDecryptionFailed, @@ -397,7 +408,7 @@ private static byte[] DecryptToken(CryptoProviderFactory cryptoProviderFactory, using (AuthenticatedEncryptionProvider decryptionProvider = cryptoProviderFactory.CreateAuthenticatedEncryptionProvider(key, encAlg)) { if (decryptionProvider == null) - throw LogHelper.LogExceptionMessage(new InvalidOperationException(LogHelper.FormatInvariant(TokenLogMessages.IDX10610, key, LogHelper.MarkAsNonPII(encAlg)))); + throw LogHelper.LogExceptionMessage(new InvalidOperationException(LogHelper.FormatInvariant(TokenLogMessages.IDX10610, LogHelper.MarkAsNonPII(key.KeyId), LogHelper.MarkAsNonPII(encAlg)))); return decryptionProvider.Decrypt( ciphertext, @@ -445,7 +456,8 @@ internal static SecurityKey GetSecurityKey( if (JwtConstants.DirectKeyUseAlg.Equals(encryptingCredentials.Alg)) { if (!cryptoProviderFactory.IsSupportedAlgorithm(encryptingCredentials.Enc, encryptingCredentials.Key)) - throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, LogHelper.MarkAsNonPII(encryptingCredentials.Enc), encryptingCredentials.Key))); + throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException( + LogHelper.FormatInvariant(TokenLogMessages.IDX10615, LogHelper.MarkAsNonPII(encryptingCredentials.Enc), LogHelper.MarkAsNonPII(encryptingCredentials.Key.KeyId)))); securityKey = encryptingCredentials.Key; } @@ -484,7 +496,8 @@ internal static SecurityKey GetSecurityKey( else { if (!cryptoProviderFactory.IsSupportedAlgorithm(encryptingCredentials.Alg, encryptingCredentials.Key)) - throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, LogHelper.MarkAsNonPII(encryptingCredentials.Alg), encryptingCredentials.Key))); + throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException( + LogHelper.FormatInvariant(TokenLogMessages.IDX10615, LogHelper.MarkAsNonPII(encryptingCredentials.Alg), LogHelper.MarkAsNonPII(encryptingCredentials.Key.KeyId)))); // only 128, 384 and 512 AesCbcHmac for CEK algorithm if (SecurityAlgorithms.Aes128CbcHmacSha256.Equals(encryptingCredentials.Enc)) diff --git a/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/Configuration/OpenIdConnectConfigurationValidator.cs b/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/Configuration/OpenIdConnectConfigurationValidator.cs index ae5b756c5c..97fcf7d073 100644 --- a/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/Configuration/OpenIdConnectConfigurationValidator.cs +++ b/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/Configuration/OpenIdConnectConfigurationValidator.cs @@ -57,7 +57,7 @@ public ConfigurationValidationResult Validate(OpenIdConnectConfiguration openIdC LogMessages.IDX21818, LogHelper.MarkAsNonPII(MinimumNumberOfKeys), LogHelper.MarkAsNonPII(numberOfValidKeys), - string.IsNullOrEmpty(convertKeyInfos) ? "None" : convertKeyInfos), + string.IsNullOrEmpty(convertKeyInfos) ? "None" : LogHelper.MarkAsNonPII(convertKeyInfos)), Succeeded = false }; } diff --git a/src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestHandler.cs b/src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestHandler.cs index 1411d14732..24e5fc7163 100644 --- a/src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestHandler.cs +++ b/src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestHandler.cs @@ -656,7 +656,9 @@ internal virtual async Task ValidateSignatureAsync(JsonWebToken sig { signatureProvider = popKey.CryptoProviderFactory.CreateForVerifying(popKey, signedHttpRequest.Alg, false); if (signatureProvider == null) - throw LogHelper.LogExceptionMessage(new InvalidOperationException(LogHelper.FormatInvariant(Tokens.LogMessages.IDX10636, popKey.ToString(), LogHelper.MarkAsNonPII(signedHttpRequest.Alg)))); + throw LogHelper.LogExceptionMessage( + new InvalidOperationException( + LogHelper.FormatInvariant(Tokens.LogMessages.IDX10636, LogHelper.MarkAsNonPII(popKey.KeyId), LogHelper.MarkAsNonPII(signedHttpRequest.Alg)))); if (EncodingUtils.PerformEncodingDependentOperation( signedHttpRequest.EncodedToken, @@ -1099,7 +1101,7 @@ internal virtual SecurityKey ResolvePopKeyFromJwk(JsonWebKey jsonWebKey, SignedH throw LogHelper.LogExceptionMessage(new SignedHttpRequestInvalidPopKeyException(LogHelper.FormatInvariant(LogMessages.IDX23015, LogHelper.MarkAsNonPII(key.GetType().ToString())))); } else - throw LogHelper.LogExceptionMessage(new SignedHttpRequestInvalidPopKeyException(LogHelper.FormatInvariant(LogMessages.IDX23016, jsonWebKey.ToString()))); + throw LogHelper.LogExceptionMessage(new SignedHttpRequestInvalidPopKeyException(LogHelper.FormatInvariant(LogMessages.IDX23016, LogHelper.MarkAsNonPII(jsonWebKey.KeyId)))); } /// @@ -1164,7 +1166,8 @@ internal virtual async Task ResolvePopKeyFromJkuAsync(string jkuSet new SignedHttpRequestInvalidPopKeyException( LogHelper.FormatInvariant( LogMessages.IDX23021, - LogHelper.MarkAsNonPII(cnf.Kid), string.Join(", ", popKeys.Select(x => x.KeyId ?? "Null"))))); + LogHelper.MarkAsNonPII(cnf.Kid), + LogHelper.MarkAsNonPII(string.Join(", ", popKeys.Select(x => x.KeyId ?? "Null")))))); } else { diff --git a/src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestUtilities.cs b/src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestUtilities.cs index ae3a9d72e7..7df7a9f04c 100644 --- a/src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestUtilities.cs +++ b/src/Microsoft.IdentityModel.Protocols.SignedHttpRequest/SignedHttpRequestUtilities.cs @@ -106,7 +106,12 @@ internal static async Task DecryptSymmetricPopKeyAsync(JsonWebTokenH } catch (Exception e) { - throw LogHelper.LogExceptionMessage(new SignedHttpRequestInvalidPopKeyException(LogHelper.FormatInvariant(LogMessages.IDX23018, string.Join(", ", decryptionKeys.Select(x => x?.KeyId ?? "Null")), e), e)); + throw LogHelper.LogExceptionMessage(new SignedHttpRequestInvalidPopKeyException( + LogHelper.FormatInvariant( + LogMessages.IDX23018, + LogHelper.MarkAsNonPII(string.Join(", ", decryptionKeys.Select(x => x?.KeyId ?? "Null"))), + e), + e)); } } } diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.ValidateSignature.cs b/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.ValidateSignature.cs index 5681070c45..bb446c3f9c 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.ValidateSignature.cs +++ b/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.ValidateSignature.cs @@ -4,6 +4,7 @@ using System; using System.Collections.Generic; using System.Text; +using Microsoft.IdentityModel.Logging; using TokenLogMessages = Microsoft.IdentityModel.Tokens.LogMessages; #nullable enable @@ -120,7 +121,7 @@ internal static ValidationResult ValidateSignature( (errors ??= new()).Add(result.UnwrapError()); - (keysAttempted ??= new()).Append(key.ToString()); + (keysAttempted ??= new()).Append(key.KeyId); if (canMatchKey && !keyMatched && key.KeyId is not null && samlToken.Assertion.Signature.KeyInfo is not null) keyMatched = samlToken.Assertion.Signature.KeyInfo.MatchesKey(key); } @@ -130,7 +131,7 @@ internal static ValidationResult ValidateSignature( return new SignatureValidationError( new MessageDetail( TokenLogMessages.IDX10514, - keysAttempted?.ToString(), + LogHelper.MarkAsNonPII(keysAttempted?.ToString()), samlToken.Assertion.Signature.KeyInfo, GetErrorString(errors), samlToken), @@ -140,7 +141,7 @@ internal static ValidationResult ValidateSignature( string? keysAttemptedString = null; if (resolvedKey is not null) - keysAttemptedString = resolvedKey.ToString(); + keysAttemptedString = resolvedKey.KeyId; else if ((keysAttempted?.Length ?? 0) > 0) keysAttemptedString = keysAttempted!.ToString(); @@ -148,7 +149,7 @@ internal static ValidationResult ValidateSignature( return new SignatureValidationError( new MessageDetail( TokenLogMessages.IDX10512, - keysAttemptedString, + LogHelper.MarkAsNonPII(keysAttemptedString), GetErrorString(errors), samlToken), ValidationFailureType.SignatureValidationFailed, diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.cs b/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.cs index 4f7bfe9e54..51eeb024cc 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.cs +++ b/src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.cs @@ -1105,7 +1105,7 @@ private SamlSecurityToken ValidateSignature(SamlSecurityToken samlToken, string if (key != null) { - keysAttempted.Append(key.ToString()).Append(" , KeyId: ").AppendLine(key.KeyId); + keysAttempted.Append("KeyId: ").AppendLine(key.KeyId); if (canMatchKey && !keyMatched && key.KeyId != null) keyMatched = samlToken.Assertion.Signature.KeyInfo.MatchesKey(key); } @@ -1115,14 +1115,15 @@ private SamlSecurityToken ValidateSignature(SamlSecurityToken samlToken, string if (canMatchKey) { if (keyMatched) - throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSignatureException(LogHelper.FormatInvariant(TokenLogMessages.IDX10514, keysAttempted, samlToken.Assertion.Signature.KeyInfo, exceptionStrings, samlToken))); + throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSignatureException( + LogHelper.FormatInvariant(TokenLogMessages.IDX10514, LogHelper.MarkAsNonPII(keysAttempted), samlToken.Assertion.Signature.KeyInfo, exceptionStrings, samlToken))); ValidateIssuer(samlToken.Issuer, samlToken, validationParameters); ValidateConditions(samlToken, validationParameters); } if (keysAttempted.Length > 0) - throw LogExceptionMessage(new SecurityTokenSignatureKeyNotFoundException(FormatInvariant(TokenLogMessages.IDX10512, keysAttempted, exceptionStrings, samlToken))); + throw LogExceptionMessage(new SecurityTokenSignatureKeyNotFoundException(FormatInvariant(TokenLogMessages.IDX10512, LogHelper.MarkAsNonPII(keysAttempted), exceptionStrings, samlToken))); throw LogHelper.LogExceptionMessage(new SecurityTokenSignatureKeyNotFoundException(TokenLogMessages.IDX10500)); } diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateSignature.cs b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateSignature.cs index 7aeb16093e..9ac7dc2885 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateSignature.cs +++ b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateSignature.cs @@ -4,6 +4,7 @@ using System; using System.Collections.Generic; using System.Text; +using Microsoft.IdentityModel.Logging; using Microsoft.IdentityModel.Tokens.Saml; using TokenLogMessages = Microsoft.IdentityModel.Tokens.LogMessages; @@ -118,7 +119,7 @@ internal static ValidationResult ValidateSignature( (errors ??= new()).Add(result.UnwrapError()); - (keysAttempted ??= new()).Append(key.ToString()); + (keysAttempted ??= new()).Append(key.KeyId); if (canMatchKey && !keyMatched && key.KeyId is not null && samlToken.Assertion.Signature.KeyInfo is not null) keyMatched = samlToken.Assertion.Signature.KeyInfo.MatchesKey(key); } @@ -128,7 +129,7 @@ internal static ValidationResult ValidateSignature( return new SignatureValidationError( new MessageDetail( TokenLogMessages.IDX10514, - keysAttempted?.ToString(), + LogHelper.MarkAsNonPII(keysAttempted?.ToString()), samlToken.Assertion.Signature.KeyInfo, GetErrorStrings(errors), samlToken), @@ -138,7 +139,7 @@ internal static ValidationResult ValidateSignature( string? keysAttemptedString = null; if (resolvedKey is not null) - keysAttemptedString = resolvedKey.ToString(); + keysAttemptedString = resolvedKey.KeyId; else if ((keysAttempted?.Length ?? 0) > 0) keysAttemptedString = keysAttempted!.ToString(); @@ -146,7 +147,7 @@ internal static ValidationResult ValidateSignature( return new SignatureValidationError( new MessageDetail( TokenLogMessages.IDX10512, - keysAttemptedString, + LogHelper.MarkAsNonPII(keysAttemptedString), GetErrorStrings(errors), samlToken), ValidationFailureType.SignatureValidationFailed, diff --git a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.cs b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.cs index 9e2ad28749..fc1c9e09a7 100644 --- a/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.cs +++ b/src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.cs @@ -470,7 +470,7 @@ private Saml2SecurityToken ValidateSignature(Saml2SecurityToken samlToken, strin if (key != null) { - keysAttempted.Append(key.ToString()).Append(" , KeyId: ").AppendLine(key.KeyId); + keysAttempted.Append("KeyId: ").AppendLine(key.KeyId); if (canMatchKey && !keyMatched && key.KeyId != null) keyMatched = samlToken.Assertion.Signature.KeyInfo.MatchesKey(key); } @@ -480,14 +480,15 @@ private Saml2SecurityToken ValidateSignature(Saml2SecurityToken samlToken, strin if (canMatchKey) { if (keyMatched) - throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSignatureException(LogHelper.FormatInvariant(TokenLogMessages.IDX10514, keysAttempted, samlToken.Assertion.Signature.KeyInfo, exceptionStrings, samlToken))); + throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSignatureException( + LogHelper.FormatInvariant(TokenLogMessages.IDX10514, LogHelper.MarkAsNonPII(keysAttempted), samlToken.Assertion.Signature.KeyInfo, exceptionStrings, samlToken))); ValidateIssuer(samlToken.Issuer, samlToken, validationParameters); ValidateConditions(samlToken, validationParameters); } if (keysAttempted.Length > 0) - throw LogExceptionMessage(new SecurityTokenSignatureKeyNotFoundException(FormatInvariant(TokenLogMessages.IDX10512, keysAttempted, exceptionStrings, samlToken))); + throw LogExceptionMessage(new SecurityTokenSignatureKeyNotFoundException(FormatInvariant(TokenLogMessages.IDX10512, LogHelper.MarkAsNonPII(keysAttempted), exceptionStrings, samlToken))); throw LogHelper.LogExceptionMessage(new SecurityTokenSignatureKeyNotFoundException(TokenLogMessages.IDX10500)); } diff --git a/src/Microsoft.IdentityModel.Tokens/AsymmetricAdapter.cs b/src/Microsoft.IdentityModel.Tokens/AsymmetricAdapter.cs index 8aa11d9318..113a55c1c0 100644 --- a/src/Microsoft.IdentityModel.Tokens/AsymmetricAdapter.cs +++ b/src/Microsoft.IdentityModel.Tokens/AsymmetricAdapter.cs @@ -92,7 +92,7 @@ internal AsymmetricAdapter( new NotSupportedException( LogHelper.FormatInvariant( LogMessages.IDX10684, - LogHelper.MarkAsNonPII(algorithm), key))); + LogHelper.MarkAsNonPII(algorithm), LogHelper.MarkAsNonPII(key.KeyId)))); } } else if (key is ECDsaSecurityKey ecdsaKey) @@ -104,7 +104,7 @@ internal AsymmetricAdapter( new NotSupportedException( LogHelper.FormatInvariant( LogMessages.IDX10684, - LogHelper.MarkAsNonPII(algorithm), key))); + LogHelper.MarkAsNonPII(algorithm), LogHelper.MarkAsNonPII(key.KeyId)))); } internal byte[] Decrypt(byte[] data) diff --git a/src/Microsoft.IdentityModel.Tokens/AsymmetricSignatureProvider.cs b/src/Microsoft.IdentityModel.Tokens/AsymmetricSignatureProvider.cs index 0117c21b5e..118d907fe4 100644 --- a/src/Microsoft.IdentityModel.Tokens/AsymmetricSignatureProvider.cs +++ b/src/Microsoft.IdentityModel.Tokens/AsymmetricSignatureProvider.cs @@ -128,14 +128,15 @@ public AsymmetricSignatureProvider( if (willCreateSignatures && FoundPrivateKey(key) == PrivateKeyStatus.DoesNotExist) throw LogHelper.LogExceptionMessage( new InvalidOperationException( - LogHelper.FormatInvariant(LogMessages.IDX10638, key))); + LogHelper.FormatInvariant(LogMessages.IDX10638, LogHelper.MarkAsNonPII(key.KeyId)))); if (!_cryptoProviderFactory.IsSupportedAlgorithm(algorithm, key)) throw LogHelper.LogExceptionMessage( new NotSupportedException( LogHelper.FormatInvariant( LogMessages.IDX10634, - LogHelper.MarkAsNonPII((algorithm)), key))); + LogHelper.MarkAsNonPII((algorithm)), + LogHelper.MarkAsNonPII(key.KeyId)))); WillCreateSignatures = willCreateSignatures; _asymmetricAdapterObjectPool = new DisposableObjectPool( @@ -346,12 +347,12 @@ public virtual void ValidateAsymmetricSecurityKeySize(SecurityKey key, string al keySize = convertedAsymmetricKey.KeySize; else if (convertedSecurityKey is SymmetricSecurityKey) throw LogHelper.LogExceptionMessage( - new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10704, key))); + new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10704, LogHelper.MarkAsNonPII(key.KeyId)))); } else { throw LogHelper.LogExceptionMessage( - new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10704, key))); + new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10704, LogHelper.MarkAsNonPII(key.KeyId)))); } if (willCreateSignatures) @@ -363,7 +364,7 @@ public virtual void ValidateAsymmetricSecurityKeySize(SecurityKey key, string al nameof(key), LogHelper.FormatInvariant( LogMessages.IDX10630, - key, + LogHelper.MarkAsNonPII(key.KeyId), LogHelper.MarkAsNonPII( MinimumAsymmetricKeySizeInBitsForSigningMap[algorithm]), LogHelper.MarkAsNonPII(keySize)))); diff --git a/src/Microsoft.IdentityModel.Tokens/CryptoProviderFactory.cs b/src/Microsoft.IdentityModel.Tokens/CryptoProviderFactory.cs index 850f2d5657..57e8fe5d6d 100644 --- a/src/Microsoft.IdentityModel.Tokens/CryptoProviderFactory.cs +++ b/src/Microsoft.IdentityModel.Tokens/CryptoProviderFactory.cs @@ -168,7 +168,7 @@ public virtual AuthenticatedEncryptionProvider CreateAuthenticatedEncryptionProv LogHelper.FormatInvariant( LogMessages.IDX10646, LogHelper.MarkAsNonPII(algorithm), - key, + LogHelper.MarkAsNonPII(key.KeyId), LogHelper.MarkAsNonPII(typeof(AuthenticatedEncryptionProvider))))); return cryptoProvider; @@ -247,7 +247,7 @@ private KeyWrapProvider CreateKeyWrapProvider(SecurityKey key, string algorithm, LogHelper.FormatInvariant( LogMessages.IDX10646, LogHelper.MarkAsNonPII(algorithm), - key, + LogHelper.MarkAsNonPII(key.KeyId), LogHelper.MarkAsNonPII(typeof(SignatureProvider))))); return keyWrapProvider; @@ -264,7 +264,7 @@ private KeyWrapProvider CreateKeyWrapProvider(SecurityKey key, string algorithm, LogHelper.FormatInvariant( LogMessages.IDX10661, LogHelper.MarkAsNonPII(algorithm), - key))); + LogHelper.MarkAsNonPII(key.KeyId)))); } /// @@ -605,7 +605,7 @@ private SignatureProvider CreateSignatureProvider( LogHelper.FormatInvariant( LogMessages.IDX10646, LogHelper.MarkAsNonPII(algorithm), - key, + LogHelper.MarkAsNonPII(key.KeyId), LogHelper.MarkAsNonPII(typeof(SignatureProvider))))); return signatureProvider; @@ -652,7 +652,7 @@ private SignatureProvider CreateSignatureProvider( new InvalidOperationException( LogHelper.FormatInvariant( LogMessages.IDX10694, - key, + LogHelper.MarkAsNonPII(key.KeyId), ex), ex)); } @@ -693,7 +693,7 @@ private SignatureProvider CreateSignatureProvider( LogHelper.FormatInvariant( LogMessages.IDX10634, LogHelper.MarkAsNonPII(algorithm), - key))); + LogHelper.MarkAsNonPII(key.KeyId)))); if (createAsymmetric) signatureProvider = new AsymmetricSignatureProvider(key, algorithm, willCreateSignatures, this); @@ -718,7 +718,7 @@ private SignatureProvider CreateSignatureProvider( LogHelper.FormatInvariant( LogMessages.IDX10634, LogHelper.MarkAsNonPII(algorithm), - key))); + LogHelper.MarkAsNonPII(key.KeyId)))); if (createAsymmetric) { diff --git a/src/Microsoft.IdentityModel.Tokens/Encryption/AuthenticatedEncryptionProvider.cs b/src/Microsoft.IdentityModel.Tokens/Encryption/AuthenticatedEncryptionProvider.cs index 6965c1f0b6..048fe0b602 100644 --- a/src/Microsoft.IdentityModel.Tokens/Encryption/AuthenticatedEncryptionProvider.cs +++ b/src/Microsoft.IdentityModel.Tokens/Encryption/AuthenticatedEncryptionProvider.cs @@ -74,7 +74,7 @@ public AuthenticatedEncryptionProvider(SecurityKey key, string algorithm) InitializeUsingAesCbc(); } else - throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(LogMessages.IDX10668, LogHelper.MarkAsNonPII(_className), LogHelper.MarkAsNonPII(algorithm), key))); + throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(LogMessages.IDX10668, LogHelper.MarkAsNonPII(_className), LogHelper.MarkAsNonPII(algorithm), LogHelper.MarkAsNonPII(key.KeyId)))); } private void InitializeUsingAesGcm() @@ -207,7 +207,7 @@ private AuthenticatedKeys CreateAuthenticatedKeys() internal SymmetricSignatureProvider CreateSymmetricSignatureProvider() { if (!IsSupportedAlgorithm(Key, Algorithm)) - throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(LogMessages.IDX10668, LogHelper.MarkAsNonPII(_className), LogHelper.MarkAsNonPII(Algorithm), Key))); + throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(LogMessages.IDX10668, LogHelper.MarkAsNonPII(_className), LogHelper.MarkAsNonPII(Algorithm), LogHelper.MarkAsNonPII(Key.KeyId)))); ValidateKeySize(Key, Algorithm); @@ -370,7 +370,7 @@ private AuthenticatedKeys GetAlgorithmParameters(SecurityKey key, string algorit else if (algorithm.Equals(SecurityAlgorithms.Aes128CbcHmacSha256)) keyLength = 16; else - throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(LogMessages.IDX10668, LogHelper.MarkAsNonPII(_className), LogHelper.MarkAsNonPII(algorithm), key))); + throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(LogMessages.IDX10668, LogHelper.MarkAsNonPII(_className), LogHelper.MarkAsNonPII(algorithm), LogHelper.MarkAsNonPII(key.KeyId)))); var keyBytes = GetKeyBytes(key); byte[] aesKey = new byte[keyLength]; @@ -426,7 +426,7 @@ protected virtual byte[] GetKeyBytes(SecurityKey key) if (key is JsonWebKey jsonWebKey && JsonWebKeyConverter.TryConvertToSymmetricSecurityKey(jsonWebKey, out SecurityKey securityKey)) return GetKeyBytes(securityKey); - throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(LogMessages.IDX10667, key))); + throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(LogMessages.IDX10667, LogHelper.MarkAsNonPII(key.KeyId)))); } internal static byte[] Transform(ICryptoTransform transform, byte[] input, int inputOffset, int inputLength) @@ -464,7 +464,14 @@ protected virtual void ValidateKeySize(SecurityKey key, string algorithm) if (SecurityAlgorithms.Aes128CbcHmacSha256.Equals(algorithm)) { if (key.KeySize < 256) - throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10653, LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes128CbcHmacSha256), LogHelper.MarkAsNonPII(256), key.KeyId, LogHelper.MarkAsNonPII(key.KeySize)))); + throw LogHelper.LogExceptionMessage( + new ArgumentOutOfRangeException( + nameof(key), + LogHelper.FormatInvariant(LogMessages.IDX10653, + LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes128CbcHmacSha256), + LogHelper.MarkAsNonPII(256), + LogHelper.MarkAsNonPII(key.KeyId), + LogHelper.MarkAsNonPII(key.KeySize)))); return; } @@ -472,7 +479,15 @@ protected virtual void ValidateKeySize(SecurityKey key, string algorithm) if (SecurityAlgorithms.Aes192CbcHmacSha384.Equals(algorithm)) { if (key.KeySize < 384) - throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10653, LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes192CbcHmacSha384), LogHelper.MarkAsNonPII(384), key.KeyId, LogHelper.MarkAsNonPII(key.KeySize)))); + throw LogHelper.LogExceptionMessage( + new ArgumentOutOfRangeException( + nameof(key), + LogHelper.FormatInvariant( + LogMessages.IDX10653, + LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes192CbcHmacSha384), + LogHelper.MarkAsNonPII(384), + LogHelper.MarkAsNonPII(key.KeyId), + LogHelper.MarkAsNonPII(key.KeySize)))); return; } @@ -480,7 +495,15 @@ protected virtual void ValidateKeySize(SecurityKey key, string algorithm) if (SecurityAlgorithms.Aes256CbcHmacSha512.Equals(algorithm)) { if (key.KeySize < 512) - throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10653, LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes256CbcHmacSha512), LogHelper.MarkAsNonPII(512), key.KeyId, LogHelper.MarkAsNonPII(key.KeySize)))); + throw LogHelper.LogExceptionMessage( + new ArgumentOutOfRangeException( + nameof(key), + LogHelper.FormatInvariant( + LogMessages.IDX10653, + LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes256CbcHmacSha512), + LogHelper.MarkAsNonPII(512), + LogHelper.MarkAsNonPII(key.KeyId), + LogHelper.MarkAsNonPII(key.KeySize)))); return; } @@ -488,7 +511,15 @@ protected virtual void ValidateKeySize(SecurityKey key, string algorithm) if (SecurityAlgorithms.Aes128Gcm.Equals(algorithm)) { if (key.KeySize < 128) - throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10653, LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes128Gcm), LogHelper.MarkAsNonPII(128), key.KeyId, LogHelper.MarkAsNonPII(key.KeySize)))); + throw LogHelper.LogExceptionMessage( + new ArgumentOutOfRangeException( + nameof(key), + LogHelper.FormatInvariant( + LogMessages.IDX10653, + LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes128Gcm), + LogHelper.MarkAsNonPII(128), + LogHelper.MarkAsNonPII(key.KeyId), + LogHelper.MarkAsNonPII(key.KeySize)))); return; } @@ -496,7 +527,15 @@ protected virtual void ValidateKeySize(SecurityKey key, string algorithm) if (SecurityAlgorithms.Aes192Gcm.Equals(algorithm)) { if (key.KeySize < 192) - throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10653, LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes192Gcm), LogHelper.MarkAsNonPII(192), key.KeyId, LogHelper.MarkAsNonPII(key.KeySize)))); + throw LogHelper.LogExceptionMessage( + new ArgumentOutOfRangeException( + nameof(key), + LogHelper.FormatInvariant( + LogMessages.IDX10653, + LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes192Gcm), + LogHelper.MarkAsNonPII(192), + LogHelper.MarkAsNonPII(key.KeyId), + LogHelper.MarkAsNonPII(key.KeySize)))); return; } @@ -504,7 +543,15 @@ protected virtual void ValidateKeySize(SecurityKey key, string algorithm) if (SecurityAlgorithms.Aes256Gcm.Equals(algorithm)) { if (key.KeySize < 256) - throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10653, LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes256Gcm), LogHelper.MarkAsNonPII(256), key.KeyId, LogHelper.MarkAsNonPII(key.KeySize)))); + throw LogHelper.LogExceptionMessage( + new ArgumentOutOfRangeException( + nameof(key), + LogHelper.FormatInvariant( + LogMessages.IDX10653, + LogHelper.MarkAsNonPII(SecurityAlgorithms.Aes256Gcm), + LogHelper.MarkAsNonPII(256), + LogHelper.MarkAsNonPII(key.KeyId), + LogHelper.MarkAsNonPII(key.KeySize)))); return; } diff --git a/src/Microsoft.IdentityModel.Tokens/Encryption/RsaKeyWrapProvider.cs b/src/Microsoft.IdentityModel.Tokens/Encryption/RsaKeyWrapProvider.cs index 1c4519839c..8900960725 100644 --- a/src/Microsoft.IdentityModel.Tokens/Encryption/RsaKeyWrapProvider.cs +++ b/src/Microsoft.IdentityModel.Tokens/Encryption/RsaKeyWrapProvider.cs @@ -44,7 +44,7 @@ public RsaKeyWrapProvider(SecurityKey key, string algorithm, bool willUnwrap) internal AsymmetricAdapter CreateAsymmetricAdapter() { if (!IsSupportedAlgorithm(Key, Algorithm)) - throw LogHelper.LogExceptionMessage(new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10661, LogHelper.MarkAsNonPII(Algorithm), Key))); + throw LogHelper.LogExceptionMessage(new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10661, LogHelper.MarkAsNonPII(Algorithm), LogHelper.MarkAsNonPII(Key.KeyId)))); return new AsymmetricAdapter(Key, Algorithm, _willUnwrap); } diff --git a/src/Microsoft.IdentityModel.Tokens/Encryption/SymmetricKeyWrapProvider.cs b/src/Microsoft.IdentityModel.Tokens/Encryption/SymmetricKeyWrapProvider.cs index 20b9f096f0..ec8d878fe9 100644 --- a/src/Microsoft.IdentityModel.Tokens/Encryption/SymmetricKeyWrapProvider.cs +++ b/src/Microsoft.IdentityModel.Tokens/Encryption/SymmetricKeyWrapProvider.cs @@ -67,7 +67,7 @@ public SymmetricKeyWrapProvider(SecurityKey key, string algorithm) private SymmetricAlgorithm CreateSymmetricAlgorithm() { if (!IsSupportedAlgorithm(Key, Algorithm)) - throw LogHelper.LogExceptionMessage(new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10661, LogHelper.MarkAsNonPII(Algorithm), Key))); + throw LogHelper.LogExceptionMessage(new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10661, LogHelper.MarkAsNonPII(Algorithm), LogHelper.MarkAsNonPII(Key.KeyId)))); SymmetricAlgorithm symmetricAlgorithm = GetSymmetricAlgorithm(Key, Algorithm); @@ -137,7 +137,7 @@ protected virtual SymmetricAlgorithm GetSymmetricAlgorithm(SecurityKey key, stri throw LogHelper.LogArgumentNullException(nameof(key)); if (!IsSupportedAlgorithm(key, algorithm)) - throw LogHelper.LogExceptionMessage(new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10661, LogHelper.MarkAsNonPII(algorithm), key))); + throw LogHelper.LogExceptionMessage(new NotSupportedException(LogHelper.FormatInvariant(LogMessages.IDX10661, LogHelper.MarkAsNonPII(algorithm), LogHelper.MarkAsNonPII(key.KeyId)))); byte[] keyBytes = null; @@ -172,7 +172,7 @@ protected virtual SymmetricAlgorithm GetSymmetricAlgorithm(SecurityKey key, stri } catch (Exception ex) { - throw LogHelper.LogExceptionMessage(new InvalidOperationException(LogHelper.FormatInvariant(LogMessages.IDX10663, key, LogHelper.MarkAsNonPII(algorithm)), ex)); + throw LogHelper.LogExceptionMessage(new InvalidOperationException(LogHelper.FormatInvariant(LogMessages.IDX10663, LogHelper.MarkAsNonPII(key.KeyId), LogHelper.MarkAsNonPII(algorithm)), ex)); } } @@ -318,7 +318,7 @@ private void ValidateKeySize(byte[] key, string algorithm) if (SecurityAlgorithms.Aes128KW.Equals(algorithm) || SecurityAlgorithms.Aes128KeyWrap.Equals(algorithm)) { if (key.Length != 16) - throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10662, LogHelper.MarkAsNonPII(algorithm), LogHelper.MarkAsNonPII(128), Key.KeyId, LogHelper.MarkAsNonPII(key.Length << 3)))); + throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10662, LogHelper.MarkAsNonPII(algorithm), LogHelper.MarkAsNonPII(128), LogHelper.MarkAsNonPII(Key.KeyId), LogHelper.MarkAsNonPII(key.Length << 3)))); return; } @@ -326,7 +326,7 @@ private void ValidateKeySize(byte[] key, string algorithm) if (SecurityAlgorithms.Aes192KW.Equals(algorithm) || SecurityAlgorithms.Aes192KeyWrap.Equals(algorithm)) { if (key.Length != 24) - throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10662, LogHelper.MarkAsNonPII(algorithm), LogHelper.MarkAsNonPII(128), Key.KeyId, LogHelper.MarkAsNonPII(key.Length << 3)))); + throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10662, LogHelper.MarkAsNonPII(algorithm), LogHelper.MarkAsNonPII(128), LogHelper.MarkAsNonPII(Key.KeyId), LogHelper.MarkAsNonPII(key.Length << 3)))); return; } @@ -334,7 +334,7 @@ private void ValidateKeySize(byte[] key, string algorithm) if (SecurityAlgorithms.Aes256KW.Equals(algorithm) || (SecurityAlgorithms.Aes256KeyWrap.Equals(algorithm))) { if (key.Length != 32) - throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10662, LogHelper.MarkAsNonPII(algorithm), LogHelper.MarkAsNonPII(256), Key.KeyId, LogHelper.MarkAsNonPII(key.Length << 3)))); + throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10662, LogHelper.MarkAsNonPII(algorithm), LogHelper.MarkAsNonPII(256), LogHelper.MarkAsNonPII(Key.KeyId), LogHelper.MarkAsNonPII(key.Length << 3)))); return; } diff --git a/src/Microsoft.IdentityModel.Tokens/JsonWebKeyConverter.cs b/src/Microsoft.IdentityModel.Tokens/JsonWebKeyConverter.cs index ae41d800b0..07962eba68 100644 --- a/src/Microsoft.IdentityModel.Tokens/JsonWebKeyConverter.cs +++ b/src/Microsoft.IdentityModel.Tokens/JsonWebKeyConverter.cs @@ -238,11 +238,11 @@ public static bool TryConvertToSecurityKey(JsonWebKey webKey, out SecurityKey ke catch (Exception ex) { if (LogHelper.IsEnabled(EventLogLevel.Warning)) - LogHelper.LogWarning(LogHelper.FormatInvariant(LogMessages.IDX10813, LogHelper.MarkAsNonPII(typeof(SecurityKey)), webKey, ex)); + LogHelper.LogWarning(LogHelper.FormatInvariant(LogMessages.IDX10813, LogHelper.MarkAsNonPII(typeof(SecurityKey)), LogHelper.MarkAsNonPII(webKey.KeyId), ex)); } if (LogHelper.IsEnabled(EventLogLevel.Warning)) - LogHelper.LogWarning(LogHelper.FormatInvariant(LogMessages.IDX10812, LogHelper.MarkAsNonPII(typeof(SecurityKey)), webKey)); + LogHelper.LogWarning(LogHelper.FormatInvariant(LogMessages.IDX10812, LogHelper.MarkAsNonPII(typeof(SecurityKey)), LogHelper.MarkAsNonPII(webKey.KeyId))); return false; } @@ -267,7 +267,7 @@ internal static bool TryConvertToSymmetricSecurityKey(JsonWebKey webKey, out Sec catch (Exception ex) { if (LogHelper.IsEnabled(EventLogLevel.Error)) - LogHelper.LogExceptionMessage(new InvalidOperationException(LogHelper.FormatInvariant(LogMessages.IDX10813, LogHelper.MarkAsNonPII(typeof(SymmetricSecurityKey)), webKey, ex), ex)); + LogHelper.LogExceptionMessage(new InvalidOperationException(LogHelper.FormatInvariant(LogMessages.IDX10813, LogHelper.MarkAsNonPII(typeof(SymmetricSecurityKey)), LogHelper.MarkAsNonPII(webKey.KeyId), ex), ex)); } return false; @@ -294,7 +294,7 @@ internal static bool TryConvertToX509SecurityKey(JsonWebKey webKey, out Security } catch (Exception ex) { - string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10813, LogHelper.MarkAsNonPII(typeof(X509SecurityKey)), webKey, ex); + string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10813, LogHelper.MarkAsNonPII(typeof(X509SecurityKey)), LogHelper.MarkAsNonPII(webKey.KeyId), ex); webKey.ConvertKeyInfo = convertKeyInfo; if (LogHelper.IsEnabled(EventLogLevel.Error)) LogHelper.LogExceptionMessage(new InvalidOperationException(convertKeyInfo, ex)); @@ -322,7 +322,7 @@ internal static bool TryCreateToRsaSecurityKey(JsonWebKey webKey, out SecurityKe } catch (Exception ex) { - string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10813, LogHelper.MarkAsNonPII(typeof(RsaSecurityKey)), webKey, ex); + string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10813, LogHelper.MarkAsNonPII(typeof(RsaSecurityKey)), LogHelper.MarkAsNonPII(webKey.KeyId), ex); webKey.ConvertKeyInfo = convertKeyInfo; if (LogHelper.IsEnabled(EventLogLevel.Error)) LogHelper.LogExceptionMessage(new InvalidOperationException(convertKeyInfo, ex)); @@ -352,7 +352,7 @@ internal static bool TryConvertToECDsaSecurityKey(JsonWebKey webKey, out Securit if (string.IsNullOrEmpty(webKey.Y)) missingComponent.Add(JsonWebKeyParameterNames.Y); - webKey.ConvertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10814, LogHelper.MarkAsNonPII(typeof(ECDsaSecurityKey)), webKey, string.Join(", ", missingComponent)); + webKey.ConvertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10814, LogHelper.MarkAsNonPII(typeof(ECDsaSecurityKey)), LogHelper.MarkAsNonPII(webKey.KeyId), string.Join(", ", missingComponent)); return false; } @@ -363,7 +363,7 @@ internal static bool TryConvertToECDsaSecurityKey(JsonWebKey webKey, out Securit } catch (Exception ex) { - string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10813, LogHelper.MarkAsNonPII(typeof(ECDsaSecurityKey)), webKey, ex); + string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10813, LogHelper.MarkAsNonPII(typeof(ECDsaSecurityKey)), LogHelper.MarkAsNonPII(webKey.KeyId), ex); webKey.ConvertKeyInfo = convertKeyInfo; if (LogHelper.IsEnabled(EventLogLevel.Error)) LogHelper.LogExceptionMessage(new InvalidOperationException(convertKeyInfo, ex)); diff --git a/src/Microsoft.IdentityModel.Tokens/JsonWebKeySet.cs b/src/Microsoft.IdentityModel.Tokens/JsonWebKeySet.cs index 3c533c6c5b..023b0019e9 100644 --- a/src/Microsoft.IdentityModel.Tokens/JsonWebKeySet.cs +++ b/src/Microsoft.IdentityModel.Tokens/JsonWebKeySet.cs @@ -131,7 +131,7 @@ public IList GetSigningKeys() // https://datatracker.ietf.org/doc/html/rfc7517#section-4-2 if (!string.IsNullOrEmpty(webKey.Use) && !webKey.Use.Equals(JsonWebKeyUseNames.Sig)) { - string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10808, webKey, webKey.Use); + string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10808, LogHelper.MarkAsNonPII(webKey.KeyId), webKey.Use); webKey.ConvertKeyInfo = convertKeyInfo; LogHelper.LogInformation(convertKeyInfo); if (!SkipUnresolvedJsonWebKeys) @@ -148,7 +148,7 @@ public IList GetSigningKeys() if ((webKey.X5c == null || webKey.X5c.Count == 0) && (string.IsNullOrEmpty(webKey.E) && string.IsNullOrEmpty(webKey.N))) { var missingComponent = new List { JsonWebKeyParameterNames.X5c, JsonWebKeyParameterNames.E, JsonWebKeyParameterNames.N }; - string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10814, LogHelper.MarkAsNonPII(typeof(RsaSecurityKey)), webKey, LogHelper.MarkAsNonPII(string.Join(", ", missingComponent))); + string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10814, LogHelper.MarkAsNonPII(typeof(RsaSecurityKey)), LogHelper.MarkAsNonPII(webKey.KeyId), LogHelper.MarkAsNonPII(string.Join(", ", missingComponent))); webKey.ConvertKeyInfo = convertKeyInfo; LogHelper.LogInformation(convertKeyInfo); rsaKeyResolved = false; @@ -182,7 +182,7 @@ public IList GetSigningKeys() } else { - string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10810, webKey); + string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10810, LogHelper.MarkAsNonPII(webKey.KeyId)); webKey.ConvertKeyInfo = convertKeyInfo; LogHelper.LogInformation(convertKeyInfo); @@ -198,7 +198,7 @@ private static bool IsValidX509SecurityKey(JsonWebKey webKey) { if (webKey.X5c == null || webKey.X5c.Count == 0) { - webKey.ConvertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10814, LogHelper.MarkAsNonPII(typeof(X509SecurityKey)), webKey, LogHelper.MarkAsNonPII(JsonWebKeyParameterNames.X5c)); + webKey.ConvertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10814, LogHelper.MarkAsNonPII(typeof(X509SecurityKey)), LogHelper.MarkAsNonPII(webKey.KeyId), LogHelper.MarkAsNonPII(JsonWebKeyParameterNames.X5c)); return false; } @@ -216,7 +216,7 @@ private static bool IsValidRsaSecurityKey(JsonWebKey webKey) if (missingComponent.Count > 0) { - string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10814, LogHelper.MarkAsNonPII(typeof(RsaSecurityKey)), webKey, LogHelper.MarkAsNonPII(string.Join(", ", missingComponent))); + string convertKeyInfo = LogHelper.FormatInvariant(LogMessages.IDX10814, LogHelper.MarkAsNonPII(typeof(RsaSecurityKey)), LogHelper.MarkAsNonPII(webKey.KeyId), LogHelper.MarkAsNonPII(string.Join(", ", missingComponent))); if (string.IsNullOrEmpty(webKey.ConvertKeyInfo)) webKey.ConvertKeyInfo = convertKeyInfo; else diff --git a/src/Microsoft.IdentityModel.Tokens/SymmetricSignatureProvider.cs b/src/Microsoft.IdentityModel.Tokens/SymmetricSignatureProvider.cs index 72f12a05a8..f9c06222a7 100644 --- a/src/Microsoft.IdentityModel.Tokens/SymmetricSignatureProvider.cs +++ b/src/Microsoft.IdentityModel.Tokens/SymmetricSignatureProvider.cs @@ -77,7 +77,7 @@ public SymmetricSignatureProvider(SecurityKey key, string algorithm, bool willCr new NotSupportedException( LogHelper.FormatInvariant( LogMessages.IDX10634, - LogHelper.MarkAsNonPII((algorithm)), key))); + LogHelper.MarkAsNonPII((algorithm)), LogHelper.MarkAsNonPII(key.KeyId)))); if (key.KeySize < MinimumSymmetricKeySizeInBits) throw LogHelper.LogExceptionMessage( @@ -89,7 +89,7 @@ public SymmetricSignatureProvider(SecurityKey key, string algorithm, bool willCr (algorithm)), LogHelper.MarkAsNonPII( MinimumSymmetricKeySizeInBits), - key, + LogHelper.MarkAsNonPII(key.KeyId), LogHelper.MarkAsNonPII(key.KeySize)))); WillCreateSignatures = willCreateSignatures; @@ -144,7 +144,7 @@ protected virtual byte[] GetKeyBytes(SecurityKey key) if (key is JsonWebKey jsonWebKey && jsonWebKey.K != null && jsonWebKey.Kty == JsonWebAlgorithmsKeyTypes.Octet) return Base64UrlEncoder.DecodeBytes(jsonWebKey.K); - throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(LogMessages.IDX10667, key))); + throw LogHelper.LogExceptionMessage(new ArgumentException(LogHelper.FormatInvariant(LogMessages.IDX10667, LogHelper.MarkAsNonPII(key.KeyId)))); } /// diff --git a/src/Microsoft.IdentityModel.Tokens/Validators.cs b/src/Microsoft.IdentityModel.Tokens/Validators.cs index a75bd5bfa4..6e882e3d2e 100644 --- a/src/Microsoft.IdentityModel.Tokens/Validators.cs +++ b/src/Microsoft.IdentityModel.Tokens/Validators.cs @@ -32,7 +32,7 @@ public static void ValidateAlgorithm(string algorithm, SecurityKey securityKey, { if (!validationParameters.AlgorithmValidator(algorithm, securityKey, securityToken, validationParameters)) { - throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidAlgorithmException(LogHelper.FormatInvariant(LogMessages.IDX10697, LogHelper.MarkAsNonPII(algorithm), securityKey)) + throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidAlgorithmException(LogHelper.FormatInvariant(LogMessages.IDX10697, LogHelper.MarkAsNonPII(algorithm), LogHelper.MarkAsNonPII(securityKey?.KeyId))) { InvalidAlgorithm = algorithm, }); @@ -365,7 +365,7 @@ internal static void ValidateIssuerSecurityKey(SecurityKey securityKey, Security if (validationParameters.IssuerSigningKeyValidatorUsingConfiguration != null) { if (!validationParameters.IssuerSigningKeyValidatorUsingConfiguration(securityKey, securityToken, validationParameters, configuration)) - throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10232, securityKey)) { SigningKey = securityKey }); + throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10232, LogHelper.MarkAsNonPII(securityKey?.KeyId))) { SigningKey = securityKey }); return; } @@ -373,7 +373,7 @@ internal static void ValidateIssuerSecurityKey(SecurityKey securityKey, Security if (validationParameters.IssuerSigningKeyValidator != null) { if (!validationParameters.IssuerSigningKeyValidator(securityKey, securityToken, validationParameters)) - throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10232, securityKey)) { SigningKey = securityKey }); + throw LogHelper.LogExceptionMessage(new SecurityTokenInvalidSigningKeyException(LogHelper.FormatInvariant(LogMessages.IDX10232, LogHelper.MarkAsNonPII(securityKey?.KeyId))) { SigningKey = securityKey }); return; } diff --git a/src/Microsoft.IdentityModel.Xml/Signature.cs b/src/Microsoft.IdentityModel.Xml/Signature.cs index 5a0d122beb..8fad20a3db 100644 --- a/src/Microsoft.IdentityModel.Xml/Signature.cs +++ b/src/Microsoft.IdentityModel.Xml/Signature.cs @@ -3,6 +3,7 @@ using System; using System.IO; +using Microsoft.IdentityModel.Logging; using Microsoft.IdentityModel.Tokens; using static Microsoft.IdentityModel.Logging.LogHelper; using static Microsoft.IdentityModel.Xml.XmlUtil; @@ -105,7 +106,7 @@ public void Verify(SecurityKey key, CryptoProviderFactory cryptoProviderFactory) var signatureProvider = cryptoProviderFactory.CreateForVerifying(key, SignedInfo.SignatureMethod); if (signatureProvider == null) - throw LogValidationException(LogMessages.IDX30203, cryptoProviderFactory, key, SignedInfo.SignatureMethod); + throw LogValidationException(LogMessages.IDX30203, cryptoProviderFactory, LogHelper.MarkAsNonPII(key.KeyId), SignedInfo.SignatureMethod); try { @@ -113,7 +114,7 @@ public void Verify(SecurityKey key, CryptoProviderFactory cryptoProviderFactory) { SignedInfo.GetCanonicalBytes(memoryStream); if (!signatureProvider.Verify(memoryStream.ToArray(), Convert.FromBase64String(SignatureValue))) - throw LogValidationException(LogMessages.IDX30200, cryptoProviderFactory, key); + throw LogValidationException(LogMessages.IDX30200, cryptoProviderFactory, LogHelper.MarkAsNonPII(key.KeyId)); } SignedInfo.Verify(cryptoProviderFactory); @@ -160,7 +161,7 @@ public void Verify(SecurityKey key, CryptoProviderFactory cryptoProviderFactory) var signatureProvider = cryptoProviderFactory.CreateForVerifying(key, SignedInfo.SignatureMethod); if (signatureProvider is null) return new SignatureValidationError( - new MessageDetail(LogMessages.IDX30203, cryptoProviderFactory, key, SignedInfo.SignatureMethod), + new MessageDetail(LogMessages.IDX30203, cryptoProviderFactory, LogHelper.MarkAsNonPII(key.KeyId), SignedInfo.SignatureMethod), ValidationFailureType.XmlValidationFailed, typeof(SecurityTokenInvalidSignatureException), ValidationError.GetCurrentStackFrame()); @@ -175,7 +176,7 @@ public void Verify(SecurityKey key, CryptoProviderFactory cryptoProviderFactory) if (!signatureProvider.Verify(memoryStream.ToArray(), Convert.FromBase64String(SignatureValue))) { validationError = new SignatureValidationError( - new MessageDetail(LogMessages.IDX30200, cryptoProviderFactory, key), + new MessageDetail(LogMessages.IDX30200, cryptoProviderFactory, LogHelper.MarkAsNonPII(key.KeyId)), ValidationFailureType.XmlValidationFailed, typeof(SecurityTokenInvalidSignatureException), ValidationError.GetCurrentStackFrame()); diff --git a/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs b/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs index 9c52fef4aa..7888083c47 100644 --- a/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs +++ b/src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs @@ -689,7 +689,8 @@ private JwtSecurityToken EncryptToken( } catch (Exception ex) { - throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10616, LogHelper.MarkAsNonPII(encryptingCredentials.Enc), encryptingCredentials.Key), ex)); + throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException( + LogHelper.FormatInvariant(TokenLogMessages.IDX10616, LogHelper.MarkAsNonPII(encryptingCredentials.Enc), LogHelper.MarkAsNonPII(encryptingCredentials.Key.KeyId)), ex)); } } } @@ -1253,7 +1254,9 @@ private static bool ValidateSignature(byte[] encodedBytes, byte[] signature, Sec var cryptoProviderFactory = validationParameters.CryptoProviderFactory ?? key.CryptoProviderFactory; var signatureProvider = cryptoProviderFactory.CreateForVerifying(key, algorithm); if (signatureProvider == null) - throw LogHelper.LogExceptionMessage(new InvalidOperationException(LogHelper.FormatInvariant(TokenLogMessages.IDX10636, key == null ? "Null" : key.ToString(), LogHelper.MarkAsNonPII(algorithm)))); + throw LogHelper.LogExceptionMessage( + new InvalidOperationException( + LogHelper.FormatInvariant(TokenLogMessages.IDX10636, LogHelper.MarkAsNonPII(key == null ? "Null" : key.KeyId), LogHelper.MarkAsNonPII(algorithm)))); try { @@ -1852,13 +1855,13 @@ internal IEnumerable GetContentEncryptionKeys(JwtSecurityToken jwtT { exceptionStrings.AppendLine(ex.ToString()); } - keysAttempted.AppendLine(key.ToString()); + keysAttempted.AppendLine(key.KeyId); } if (unwrappedKeys.Count > 0 || exceptionStrings.Length == 0) return unwrappedKeys; else - throw LogHelper.LogExceptionMessage(new SecurityTokenKeyWrapException(LogHelper.FormatInvariant(TokenLogMessages.IDX10618, keysAttempted, exceptionStrings, jwtToken))); + throw LogHelper.LogExceptionMessage(new SecurityTokenKeyWrapException(LogHelper.FormatInvariant(TokenLogMessages.IDX10618, LogHelper.MarkAsNonPII(keysAttempted.ToString()), exceptionStrings, jwtToken))); } private static byte[] GetSymmetricSecurityKey(SecurityKey key)