ComponentSpace

Forums



SAMLSignatureException: Failed to generate XML signature. Invalid algorithm specified


SAMLSignatureException: Failed to generate XML signature. Invalid...

Author
Message
dmarlow
dmarlow
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)

Group: Forum Members
Posts: 38, Visits: 175
I had partner IdP configured with:

"DigestMethod": "http://www.w3.org/2001/04/xmlenc#sha256",
"SignatureMethod": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",

and got this error:


ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to generate XML signature. ---> System.Security.Cryptography.CryptographicException: Invalid algorithm specified.

 at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
 at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash, Int32 cbHash, ObjectHandleOnStack retSignature)
 at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash)
 at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, Int32 calgHash)
 at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
 at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 245
 --- End of inner exception stack trace ---
 at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 255
 at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2Collection x509Certificates, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 356
 at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 404
 at ComponentSpace.SAML2.Protocols.SAMLMessageSignature.Generate(XmlElement xmlElement, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Protocols\SAMLMessageSignature.cs:line 326
 at ComponentSpace.SAML2.InternalSAMLServiceProvider.CreateAuthnRequest(SSOOptions ssoOptions, String assertionConsumerServiceUrl, String singleSignOnServiceUrl) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 140
 at ComponentSpace.SAML2.InternalSAMLServiceProvider.InitiateSSO(HttpResponseBase httpResponse, String relayState, String partnerIdP, SSOOptions ssoOptions, String assertionConsumerServiceUrl, String singleSignOnServiceUrl) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 529
 at ComponentSpace.SAML2.SAMLServiceProvider.InitiateSSO(HttpResponseBase httpResponse, String relayState, String partnerIdP, SSOOptions ssoOptions, String assertionConsumerServiceUrl, String singleSignOnServiceUrl) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLServiceProvider.cs:line 201
 


I then changed it to this:
"DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1",
"SignatureMethod": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",

and it then worked fine. Am I incorrect in trying to use SHA-256?

Thanks!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You need to enable SHA-256 XML signature support on your system. Once this is done you should no longer get the "Invalid algorithm" error.
Please refer to the following topic which describes how to enable this support.
http://www.componentspace.com/Forums/30/SHA256-XML-Signature-Support





Regards
ComponentSpace Development
dmarlow
dmarlow
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)

Group: Forum Members
Posts: 38, Visits: 175
I do have it enabled. I have several IdPs configured with SHA256. In my app, I did as the doc recommended and have this:

Snippet
// Enable SHA-256 XML signature support.            CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription),                 "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
Only seems to be a problem with a custom local SP certificate for a given IdP. Certificate looks file, can import/export OK. Can read fine via X509Certificate2 class. The certificate I'm using has sha256RSA as the signature algorithm.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
If it's specific to a particular certificate/private key then there must be an issue with that certificate/private key.
The most likely cause is that the wrong cryptographic provider is associated with the private key.
The following topic describes how to confirm this.
http://www.componentspace.com/Forums/1565/SHA256-and-Cryptographic-Provider-Types
If the wrong cryptographic provider is specified for the private key then you can convert this as described in the following article.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type





Regards
ComponentSpace Development
dmarlow
dmarlow
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)

Group: Forum Members
Posts: 38, Visits: 175
You are amazing. Thank you!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome. :)

Regards
ComponentSpace Development
matthewf
matthewf
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 3, Visits: 5
ComponentSpace - 8/19/2015
If it's specific to a particular certificate/private key then there must be an issue with that certificate/private key.
The most likely cause is that the wrong cryptographic provider is associated with the private key.
The following topic describes how to confirm this.
http://www.componentspace.com/Forums/1565/SHA256-and-Cryptographic-Provider-Types
If the wrong cryptographic provider is specified for the private key then you can convert this as described in the following article.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type




I am able to generate a meta data file by calling

SAMLMetadataSignature.Generate(xmlElement, x509Certificate.PrivateKey, x509Certificate, null, "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2000/09/xmldsig#rsa-sha1");

but not

SAMLMetadataSignature.Generate(xmlElement, x509Certificate.PrivateKey, x509Certificate );

using the default sha256 encryption

I saw a post regarding this at: http://www.componentspace.com/Forums/1623/SAMLSignatureException-Failed-to-generate-XML-signature-Invalid-algorithm-specified?Keywords=Working%20with%20Federation%20Metadata

And followed the instructions on:

http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type

to attempt to change the cryptographic provider to: Microsoft Enhanced RSA and AES Cryptographic Provider

This however did not work: and I am still unable to use the sha256 encryption

Is there any further guidance you can provide to get the default sha256 encryption working

Also if I could make a suggestion: documenting this in your documentation would be a big help for future prospective clients.

Thank you for your assistance.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Were you not able to perform the conversion using openssl?
If so, what error are you getting?
Thanks for the suggestion about the documentation. I'll see this is incorporated into the next documentation update.

Regards
ComponentSpace Development
matthewf
matthewf
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 3, Visits: 5
ComponentSpace - 12/22/2016
Were you not able to perform the conversion using openssl?
If so, what error are you getting?
Thanks for the suggestion about the documentation. I'll see this is incorporated into the next documentation update.

I have no errors

 

Before the conversion the pfx was like this

 

 

C:\Program Files (x86)\GnuWin32\bin>openssl pkcs12 -info -ind:\saml\RapidSSLWildCard.pfx

Enter Import Password:

MAC Iteration 1

MAC verified OK

PKCS7 Data

Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration2000

Bag Attributes

    1.3.6.1.4.1.311.17.2: <No Values>

    localKeyID: 01 00 00 00

    friendlyName:le-e48c316d-0efe-4765-b4d2-9fd8ffd15ba8

    Microsoft CSP Name: Microsoft RSA SChannelCryptographic Provider

Key Attributes

    X509v3 Key Usage: 10

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,2E4B86103C8222BA

 

After the conversion it was like this

 

C:\Program Files (x86)\GnuWin32\bin>openssl pkcs12 -ind:\saml\idp.pfx

Enter Import Password:

MAC verified OK

Bag Attributes

    localKeyID: 6C 7B 88 26 B7 8C 3F ED 2B 53 D3C4 33 A9 EE 2B 1A A4 FA F3

subject=/CN=*.comviewcorp.com

issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3

 

 

The attribute bag for the CSP seems to be missing


After the conversion only SHA1 works



matthewf
matthewf
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 3, Visits: 5
Turns out I was using a really old version of OpenSSL

I updated it to1.1.0c and it worked like a charm

Thanks for the help

I hope this helps someone else


GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search