Group: Forum Members
Posts: 38,
Visits: 175
|
I had partner IdP configured with: "DigestMethod": " http://www.w3.org/2001/04/xmlenc#sha256","SignatureMethod": " http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",and got this error:
ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to generate XML signature. ---> System.Security.Cryptography.CryptographicException: Invalid algorithm specified.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash, Int32 cbHash, ObjectHandleOnStack retSignature)
at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash)
at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, Int32 calgHash)
at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 245
--- End of inner exception stack trace ---
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 255
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2Collection x509Certificates, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 356
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 404
at ComponentSpace.SAML2.Protocols.SAMLMessageSignature.Generate(XmlElement xmlElement, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Protocols\SAMLMessageSignature.cs:line 326
at ComponentSpace.SAML2.InternalSAMLServiceProvider.CreateAuthnRequest(SSOOptions ssoOptions, String assertionConsumerServiceUrl, String singleSignOnServiceUrl) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 140
at ComponentSpace.SAML2.InternalSAMLServiceProvider.InitiateSSO(HttpResponseBase httpResponse, String relayState, String partnerIdP, SSOOptions ssoOptions, String assertionConsumerServiceUrl, String singleSignOnServiceUrl) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 529
at ComponentSpace.SAML2.SAMLServiceProvider.InitiateSSO(HttpResponseBase httpResponse, String relayState, String partnerIdP, SSOOptions ssoOptions, String assertionConsumerServiceUrl, String singleSignOnServiceUrl) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLServiceProvider.cs:line 201
I then changed it to this: "DigestMethod": " http://www.w3.org/2000/09/xmldsig#sha1","SignatureMethod": " http://www.w3.org/2000/09/xmldsig#rsa-sha1",and it then worked fine. Am I incorrect in trying to use SHA-256? Thanks!
|
ComponentSpace Development
Group: Administrators
Posts: 3.1K,
Visits: 10K
|
You need to enable SHA-256 XML signature support on your system. Once this is done you should no longer get the "Invalid algorithm" error. Please refer to the following topic which describes how to enable this support. http://www.componentspace.com/Forums/30/SHA256-XML-Signature-Support
Regards ComponentSpace Development
|
Group: Forum Members
Posts: 38,
Visits: 175
|
I do have it enabled. I have several IdPs configured with SHA256. In my app, I did as the doc recommended and have this: Snippet// Enable SHA-256 XML signature support. CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"); Only seems to be a problem with a custom local SP certificate for a given IdP. Certificate looks file, can import/export OK. Can read fine via X509Certificate2 class. The certificate I'm using has sha256RSA as the signature algorithm.
|
ComponentSpace Development
Group: Administrators
Posts: 3.1K,
Visits: 10K
|
If it's specific to a particular certificate/private key then there must be an issue with that certificate/private key. The most likely cause is that the wrong cryptographic provider is associated with the private key. The following topic describes how to confirm this. http://www.componentspace.com/Forums/1565/SHA256-and-Cryptographic-Provider-Types If the wrong cryptographic provider is specified for the private key then you can convert this as described in the following article. http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type
Regards ComponentSpace Development
|
Group: Forum Members
Posts: 38,
Visits: 175
|
You are amazing. Thank you!
|
ComponentSpace Development
Group: Administrators
Posts: 3.1K,
Visits: 10K
|
You're welcome. :)
Regards
ComponentSpace Development
|
Group: Forum Members
Posts: 3,
Visits: 5
|
I am able to generate a meta data file by calling SAMLMetadataSignature.Generate(xmlElement, x509Certificate.PrivateKey, x509Certificate, null, " http://www.w3.org/2000/09/xmldsig#sha1", " http://www.w3.org/2000/09/xmldsig#rsa-sha1");but not SAMLMetadataSignature.Generate(xmlElement, x509Certificate.PrivateKey, x509Certificate ); using the default sha256 encryption I saw a post regarding this at: http://www.componentspace.com/Forums/1623/SAMLSignatureException-Failed-to-generate-XML-signature-Invalid-algorithm-specified?Keywords=Working%20with%20Federation%20MetadataAnd followed the instructions on: http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Typeto attempt to change the cryptographic provider to: Microsoft Enhanced RSA and AES Cryptographic Provider This however did not work: and I am still unable to use the sha256 encryption Is there any further guidance you can provide to get the default sha256 encryption working Also if I could make a suggestion: documenting this in your documentation would be a big help for future prospective clients. Thank you for your assistance.
|
ComponentSpace Development
Group: Administrators
Posts: 3.1K,
Visits: 10K
|
Were you not able to perform the conversion using openssl?
If so, what error are you getting?
Thanks for the suggestion about the documentation. I'll see this is incorporated into the next documentation update.
Regards
ComponentSpace Development
|
Group: Forum Members
Posts: 3,
Visits: 5
|
+xWere you not able to perform the conversion using openssl? If so, what error are you getting? Thanks for the suggestion about the documentation. I'll see this is incorporated into the next documentation update. I have no errors Before the conversion the pfx was like this C:\Program Files (x86)\GnuWin32\bin>openssl pkcs12 -info -ind:\saml\RapidSSLWildCard.pfx Enter Import Password: MAC Iteration 1 MAC verified OK PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration2000 Bag Attributes 1.3.6.1.4.1.311.17.2: <No Values> localKeyID: 01 00 00 00 friendlyName:le-e48c316d-0efe-4765-b4d2-9fd8ffd15ba8 Microsoft CSP Name: Microsoft RSA SChannelCryptographic Provider Key Attributes X509v3 Key Usage: 10 Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2E4B86103C8222BA After the conversion it was like this C:\Program Files (x86)\GnuWin32\bin>openssl pkcs12 -ind:\saml\idp.pfx Enter Import Password: MAC verified OK Bag Attributes localKeyID: 6C 7B 88 26 B7 8C 3F ED 2B 53 D3C4 33 A9 EE 2B 1A A4 FA F3 subject=/CN=*.comviewcorp.com issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 The attribute bag for the CSP seems to be missing After the conversion only SHA1 works
|
Group: Forum Members
Posts: 3,
Visits: 5
|
Turns out I was using a really old version of OpenSSL
I updated it to1.1.0c and it worked like a charm
Thanks for the help
I hope this helps someone else
|