Hi All,
I have got a digitally signed XML document from client an trying to validate it. I am using the Windows 2008 server R2 environment .
In this xml file the response I am getting is with Signature algorithm sha256
ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
I created a digitally signed xml on my local machine. It is showing the digital signature with sha1 algorithm.
SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"
I am able to validate this file using the code I have with me.
But facing problems with client generated sha256 algorithm xml file.
I am getting the error: "SignatureDescription could not be created for the signature algorithm supplied."
I tried with various posts explaining how to validate a SAML Response but unable to get the solution.
Please suggest how I could validate this file with ds:SignatureMethod Algorithm of sha256.
------------------------------------
Here is XML file that I am able to validate:
------------------------------------
<MyElement xmlns="
samples"
> Example text to be signed.
<Signature xmlns="
http://www.w3.org/2000/09/xmldsig#"
>
<SignedInfo>
<CanonicalizationMethod Algorithm="
http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
/>
<SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
<Reference URI=""
>
<Transforms>
<Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"
/>
</Transforms>
<DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"
/>
<DigestValue>zSI5ZAMmQ+8u7R2rP7aAPT6nNQw=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>sroeP57d2oEGG/vWyXNgwtVHRD6FgJPlTObOLETuh7rzCDoTHZnk9iQzZnmYg4JPLrGpZ6Ii0zBV5TQnir6ye6B4lKdIliQ7/MBIb/w1rzj37PyfjIQhOtuHDMzehvHbBm9HOd3Q3x+jWhkQlIuDiEkxyN5MECJjg1YSXCOY+pk=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICIzCCAYygAwIBAgIQfIzmGyaIj6BHKoXsXkPnsTANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDHhgAWABNAEwARABTAEkARwBfAFQAZQBzAHQwHhcNMDQxMjMxMTgzMDAwWhcNMDkxMjMxMTgzMDAwWjAjMSEwHwYDVQQDHhgAWABNAEwARABTAEkARwBfAFQAZQBzAHQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL+hg6AnrxZssR5x2WQOC/lvzIvKtfNRgOTUCohdsZUIQADDRNVU5rF97X8huKyqHmsJdq9tuPMPJpEkXgcynBhw9uLaQp4zEOUDOS2Z/WhAASf8InFGufEjqtU2mDvDcZa6ABAMjbKSFWFYaJ9jzo6O30ADwfaxmG1Pf5WmS5YfAgMBAAGjWDBWMFQGA1UdAQRNMEuAEKywDpG6PDEdbJMg6SJ1gWqhJTAjMSEwHwYDVQQDHhgAWABNAEwARABTAEkARwBfAFQAZQBzAHSCEHyM5hsmiI+gRyqF7F5D57EwDQYJKoZIhvcNAQEEBQADgYEAPF8qOEbM+64kt+sfRtZFMCw2b4QjF2GefKpqzYol37VAdjOvoE3OMRGInQLXPf5fqPY1DLTy83zbK3A31U2UJI5RiPyAJHQQxHmKGntyo/TyGGOXZy0qtq/+ETQl1QsD0Agwvlgd9GaMK5V6/U5RrldYP2G3nQDOt8+cek/FBps=
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</MyElement>------------------------------------
Client file( unable to validate):I have changed some of information from XML for security reasons.
------------------------------------
<samlp:Response ID="
_9sdsddsaAAsada"
Version="
2.0"
IssueInstant="
2011-06-28T15:45:13.424Z"
Destination="
https://test.abc.com/abc/"
Consent="
urn:oasis:names:tc:SAML:2.0:consent:unspecified"
xmlns:samlp="
urn:oasis:names:tc:SAML:2.0:protocol"
>
<Issuer xmlns="
urn:oasis:names:tc:SAML:2.0:assertion"
>http://mydomain.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="
urn:oasis:names:tc:SAML:2.0:status:Success"
/>
</samlp:Status>
<Assertion ID="
_7a4"
IssueInstant="
2011-06-28T15:45:13.424Z"
Version="
2.0"
xmlns="
urn:oasis:names:tc:SAML:2.0:assertion"
>
<Issuer>http://mydomain.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"
>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"
/>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
/>
<ds:Reference URI="
#_testxyz12345"
>
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"
/>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"
/>
<ds:DigestValue>tpyyynxxyyyYsk55Gh83D5kFsTgE=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>1kWJzznFjd4F6A/ij4TdsqfXgsTN0QJ8dfshjsdjfsds njfjsdfsdjfdsfa3OvkUSYJ0iYznPmdOKD8SeTKuJfxOuUVKMoBMO6xHR48ywnRbzWIduP/p+G4Tcw/qT5Ka84aKEpA3nJLHAEEN4HsLVhQWD6jS852kyjPQIBmEGxG3Ya5TwU/vWg6budcVTXQ/vln+DhVhYEnR69CtUSp6eyIJb9rqV+HtUmz6djRN+1MB+80DQC8K4V4vW3YUiNGglZyXmF5g==
</ds:SignatureValue>
<KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#"
>
<ds:X509Data>
<ds:X509Certificate>BDDkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTodsadhydfgdbhshc5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMTAzMDQxMzU1NDZaFw0xMzA1MDQxNzMwMDJaMHwxCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtDb25uZWN0aWN1dDESMBAGA1UEBxMJTmV3aW5ndG9uMQwwCgYDVQQKEwNVVEMxDDAKBgNVBAsTA1VUQzEnMCUGA1UEAxMeYWRmc3N0YWdldG9rZW4uZnMxYS51dGNkbXouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oNT/9ainRH//98SVcIL0a8pYQm8QCK7duG0iP1Y1fU9DhKwyh18EmpflHQwlrDTzz+7yxVE79fI3D1WokkpMipG8t9Zt9u21NrMUhtb5zVUGxFk5arHZpbCmBjmNtCjjZ9AAgw/ys09Cggpo6cG4zwjtrmL9cAooapxQr/orLEChNU+XZZe47cPerfl/4Ih5MJCsXSIbE0r1wOqLDqSj2n6cJp/IXVKKz5Z4pF3PlxH3c2XWwUGpNohHPjLsG/1WN3nOMo3ljQFtqmLgmH9Pg/z/1MLMuhs4zx+fZabpQO9B1qAxgPHuowPTZPM914iDvku8ncfVuW2Ww8uH8jz/wIDAQABo4IBHTCCARkwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDBABgNVHSAEOTA3MDUGCSqGSIb2fQdLAjAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAfBgNVHSMEGDAWgBQe8auJBvhJDwEzd+4Ueu4ZfJMoTTAdBgNVHQ4EFgQUNc2mj8QIq+JJ5tR1h9PdyoPdWmowCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEATp2vdECO6vslLbz/cKkHtSqJOym9/5t4PU68TbbBQDJwac4GRAA5NAjZ8NGaNgO7VYZAAWpd9MPcNcDo4+4kaX0UJXx6BQhfCRQLfUV2HuqNkK76DSuGsi8Q/jHb+hR/lJ0kfjopuTlU7SKT7bRmlqF01bSa09Ifds1ujgiWCBSiKDTvj5SgUW/m/TNHtKUs/KppPsIkFRJFNBiKdL6KJR2Kt6VoxfzYmAKr9WDVVj9gSM4mUpRKF1X3C7ZiHAUgNM3xSCfETK774+1g0zEjQjL04bJXPt8m8MQMmRuhm05Nsl7VumBGcwoosKPthYTrBwawen6aZhqrWstwVWs7Dw==
</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>SWESTKIR
</NameID>
<SubjectConfirmation Method="
urn:oasis:names:tc:SAML:2.0:cm:bearer"
>
<SubjectConfirmationData NotOnOrAfter="
2011-06-28T15:50:13.424Z"
Recipient="
https://testRecipient.test.com/abc/"
/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="
2011-06-28T15:45:13.416Z"
NotOnOrAfter="
2011-06-28T16:45:13.416Z"
>
<AudienceRestriction>
<Audience>https://Audience.test.com/abc/</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="
http://schemas.xmlsoap.org/claims/CommonName"
a:OriginalIssuer="
http://test.App.com/"
xmlns:a="
http://schemas.xmlsoap.org/ws/2009/09/identity/claims"
>
<AttributeValue>efs
</AttributeValue>
</Attribute>
<Attribute Name="
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
a:OriginalIssuer="
http://test.App.com/"
xmlns:a="
http://schemas.xmlsoap.org/ws/2009/09/identity/claims"
>
<AttributeValue>apple
</AttributeValue>
</Attribute>
<Attribute Name="
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
a:OriginalIssuer="
http://test.App.com/"
xmlns:a="
http://schemas.xmlsoap.org/ws/2009/09/identity/claims"
>
<AttributeValue>cap
</AttributeValue>
</Attribute>
<Attribute Name="
http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
a:OriginalIssuer="
http://test.App.com/"
xmlns:a="
http://schemas.xmlsoap.org/ws/2009/09/identity/claims"
>
<AttributeValue> </AttributeValue>
</Attribute>
<Attribute Name="
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
a:OriginalIssuer="
http://test.App.com/"
xmlns:a="
http://schemas.xmlsoap.org/ws/2009/09/identity/claims"
>
<AttributeValue>test@testApp.com</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="
2011-06-28T15:45:09.805Z"
SessionIndex="
_5a4fd-4aba-4660-a136-80rr1b4c378"
>
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows
</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>Here is my code:------------------------------------
Code to sign a XML:
------------------------------------
// Sign an XML file and save the signature in a new file. public static void SignXmlFile(
string FilePath,
string SignedFileNamePath,
string SubjectName)
{
// Load the certificate from the certificate store. X509Certificate2 cert = GetCertificateBySubject(SubjectName);
// Create a new XML document. XmlDocument doc =
new XmlDocument();
// Format the document to ignore white spaces. doc.PreserveWhitespace =
false;
// Load the passed XML file using it's name. doc.Load(FilePath);
// Create a SignedXml object. SignedXml signedXml =
new SignedXml(doc);
// Add the key to the SignedXml document. signedXml.SigningKey = cert.PrivateKey;
// Create a reference to be signed. Reference reference =
new Reference();
reference.Uri =
"";
// Add an enveloped transformation to the reference. XmlDsigEnvelopedSignatureTransform env =
new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);
// Add the reference to the SignedXml object. signedXml.AddReference(reference);
// Create a new KeyInfo object. KeyInfo keyInfo =
new KeyInfo();
// Load the certificate into a KeyInfoX509Data object // and add it to the KeyInfo object. keyInfo.AddClause(
new KeyInfoX509Data(cert));
// Add the KeyInfo object to the SignedXml object. signedXml.KeyInfo = keyInfo;
// Compute the signature. signedXml.ComputeSignature();
// Get the XML representation of the signature and save // it to an XmlElement object. XmlElement xmlDigitalSignature = signedXml.GetXml();
// Append the element to the XML document. doc.DocumentElement.AppendChild(doc.ImportNode(xmlDigitalSignature,
true));
if (doc.FirstChild
is XmlDeclaration)
{
doc.RemoveChild(doc.FirstChild);
}
// Save the signed XML document to a file specified // using the passed string. using (
XmlTextWriter xmltw =
new XmlTextWriter(SignedFileNamePath,
new UTF8Encoding(
false)))
{
doc.WriteTo(xmltw);
xmltw.Close();
}
}
------------------------------------
Code to verify signed XML:
------------------------------------
public static bool isValidSignature(
String xmlFilePath,
String CertificatePath)
{
// Load the certificate from the store. X509Certificate2 cert = GetCertificateByFile(CertificatePath);
// Create a new XML document. XmlDocument xmlDocument =
new XmlDocument();
// Load the passed XML file into the document. xmlDocument.Load(xmlFilePath);
// Create a new SignedXml object and pass it // the XML document class. SignedXml signedXml =
new SignedXml(xmlDocument);
// Find the "Signature" node and create a new // XmlNodeList object. XmlNodeList nodeList = xmlDocument.GetElementsByTagName(
"Signature");
// Handling Signature and ds:Signature temporarily if (nodeList.Count == 0)
{
nodeList = xmlDocument.GetElementsByTagName(
"ds:Signature");
}
// Load the signature node. signedXml.LoadXml((
XmlElement)nodeList[0]);
// Check the signature and return the result. return signedXml.CheckSignature(cert,
true);
}
This
signedXml.CheckSignature(cert, true); gives the exception: "System.Security.Cryptography.CrytographicException"
with message: "SignatureDescription could not be created for the signature algorithm supplied"
when using the client XML with
ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
------------------------------------
public static X509Certificate2 GetCertificateByFile(
string certificatePath)
{
X509Certificate2 x509 =
new X509Certificate2();
//Create X509Certificate2 object from .cer file. byte[] rawData = ReadFile(certificatePath);
x509.Import(rawData);
return x509;
}
------------------------------------
//Reads a file. internal static byte[] ReadFile(
string fileName)
{
FileStream f =
new FileStream(fileName,
FileMode.Open,
FileAccess.Read);
int size = (
int)f.Length;
byte[] data =
new byte[size];
size = f.Read(data, 0, size);
f.Close();
return data;
}
------------------------------------
Thanks in advance