ComponentSpace

Forums



SHA-256 XML Signature Support


SHA-256 XML Signature Support

Author
Message
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K

By default, SHA-1 signatures are supported and are perfectly suitable for the majority of use cases. However, SHA-256, SHA-384 and SHA-512 (member of the SHA-2 family of algorithms) signatures are also supported for those use cases requiring additional security.

The SHA256Signature example project demonstrates SHA-256, SHA-384 and SHA-512 signature generation and verification. Successfully running this example project confirms that SHA-256, SHA-384 and SHA-512 support is enabled.

There are two options for supporting SHA-256, SHA-384 and SHA-512 XML signatures depending on the target .NET framework level.

.NET 4.0 Framework Support
For .NET 4.0 and above, SHA-256, SHA-384 and SHA-512 support is, for the most part, built into the .NET framework. The only requirement is to register the cryptographic algorithm which is done automatically if using the .NET 4.0 version of the ComponentSpace.SAML2 DLL.

CLR Security Update for .NET 3.5
Wherever possible, if SHA-256, SHA-384 or SHA-512 support is required, it's highly recommended to upgrade to .NET 4.0 or later.
The .NET 2.0 framework does not support SHA-256, SHA-384 or SHA-512, or the CLR security update.
For .NET 3.5, SHA-256, SHA-384 and SHA-512 support in XML signatures requires the use of the CLR security update.
Version 1.6.0.0 of the CLR security update is recommended as a strong named version of the CLR security update DLL is required for installation into the GAC.
Download the CLR security update from:

http://clrsecurity.codeplex.com/releases/view/47764

Installation instructions may be found at:

http://clrsecurity.codeplex.com/wikipage?title=Security.Cryptography.RSAPKCS1SHA256SignatureDescription&referringTitle=Home&ProjectName=clrsecurity 
 
Extract the Security.Cryptography DLL from the CLR security zip.

Run gacutil.exe /i Security.Cryptography.dll to add the assembly to the GAC.

View the assembly (e.g. C:\Windows\assembly) and note the version number (e.g 1.6.0.0). Alternatively, the version number may be found by running:

gacutil.exe /l Security.Cryptography

Update machine.config (e.g. for .NET 3.5 in C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config and C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config) ensuring the version number of the assembly is correct. The <mscorlib> should be inserted after the <system.web> section in <configuration>. See below for an example configuration.

Certificates and keys should be generated using the “Microsoft Enhanced RSA and AES Cryptographic Provider”.

The following is an example configuration for insertion into machine.config.


<mscorlib>
<!-- ... -->
<cryptographySettings>
  <cryptoNameMapping>
  <cryptoClasses>
   <cryptoClass RSASHA256SignatureDescription="Security.Cryptography.RSAPKCS1SHA256SignatureDescription, Security.Cryptography, Version=1.6.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </cryptoClasses>
  <nameEntry name="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" class="RSASHA256SignatureDescription" />
  </cryptoNameMapping>
</cryptographySettings>
</mscorlib>

To generate SHA-256 signatures, use one of the overloaded signature Generate methods that take as parameters the digest and signature methods.
The default digest method is http://www.w3.org/2000/09/xmldsig#sha1.
The default signature method is http://www.w3.org/2000/09/xmldsig#rsa-sha1.
Instead of the defaults, specify http://www.w3.org/2001/04/xmlenc#sha256 as the digest method and http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 as the signature method.

For example:

SAMLMessageSignature.Generate(
    samlResponseElement,
    x509Certificate.PrivateKey,
    x509Certificate,
    null,
    "http://www.w3.org/2001/04/xmlenc#sha256",
    "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");


No code changes are required to verify SHA-256 signatures.

Cryptographic Provider Types
Not all cryptographic provider types support SHA-256 XML signatures.
Refer to the following topics for more information.
SHA-256 and Cryptographic Provider Types
SHA-256 and Converting the Cryptographic Provider Type



Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search