ComponentSpace

Forums



Invalid algorithm specified when using actual cert file


Invalid algorithm specified when using actual cert file

Author
Message
mmasood
mmasood
New Member
New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)

Group: Awaiting Activation
Posts: 31, Visits: 73
Hi,

I have got an IdP (adfs) and SP (a web form with multi-tenancy). I created a relying party in adfs and specified sp.cer in Signature and Encryption with SHA-1 Hash alogritham. And in SP I loaded the sp.pfx file in configuration as well as use sp.pfx to decrypt the encrypted assertions.

It works fine with above configuration in adfs and sp.cer but as soon as I use actual certificate I get below exception:

Invalid algorithm specified.

[CryptographicException: Invalid algorithm specified.]
 System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) +41
 System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash, Int32 cbHash, ObjectHandleOnStack retSignature) +0
 System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash) +97
 System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, Int32 calgHash) +199
 ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.GenerateSignature(AsymmetricAlgorithm key, String signatureAlgorithm, Byte[] dataToSign) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Bindings\HTTPRedirectBinding.cs:121

[SAMLSignatureException: Failed to generate signature]
 ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.GenerateSignature(AsymmetricAlgorithm key, String signatureAlgorithm, Byte[] dataToSign) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Bindings\HTTPRedirectBinding.cs:138
 ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.CreateQueryString(String messageQueryName, XmlElement samlMessage, String relayState, AsymmetricAlgorithm key, String signatureAlgorithm) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Bindings\HTTPRedirectBinding.cs:417
 ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.CreateRequestRedirectURL(String baseURL, XmlElement samlMessage, String relayState, AsymmetricAlgorithm key, String signatureAlgorithm) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Bindings\HTTPRedirectBinding.cs:494
 ComponentSpace.SAML2.Bindings.HTTPRedirectBinding.SendRequest(HttpResponse httpResponse, String baseURL, XmlElement samlMessage, String relayState, AsymmetricAlgorithm key, String signatureAlgorithm) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\Bindings\HTTPRedirectBinding.cs:749
 ComponentSpace.SAML2.InternalSAMLServiceProvider.SendAuthnRequest(HttpResponse httpResponse, XmlElement authnRequestElement, String relayState, String singleSignOnServiceUrl) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:239
 ComponentSpace.SAML2.InternalSAMLServiceProvider.InitiateSSO(HttpResponse httpResponse, String relayState, String partnerIdP, SSOOptions ssoOptions, String assertionConsumerServiceUrl, String singleSignOnServiceUrl) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:874
 ComponentSpace.SAML2.SAMLServiceProvider.InitiateSSO(HttpResponse httpResponse) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLServiceProvider.cs:320
 mmasood.Web.RedirectToLogin.Page_Load(Object sender, EventArgs e) in c:\prj\src\Web\RedirectToLogin.aspx.cs:17
 System.Web.UI.Control.OnLoad(EventArgs e) +109
 System.Web.UI.Control.LoadRecursive() +68
 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +4498

Please suggest any direction.

Thanks,
Muhammad


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Is it definitely SHA-1?
Is the only change the certificate specified in ADFS and in the SP's SAML configuration?
Could you send me a section of your SAML configuration where you specify partner identity provider?
What version of the SAML2 DLL are you using?

Regards
ComponentSpace Development
mmasood
mmasood
New Member
New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)

Group: Awaiting Activation
Posts: 31, Visits: 73
ComponentSpace - Monday, June 20, 2016
Is it definitely SHA-1?
Is the only change the certificate specified in ADFS and in the SP's SAML configuration?
Could you send me a section of your SAML configuration where you specify partner identity provider?
What version of the SAML2 DLL are you using?

Hi,

I tried with both SHA-1 and SHA-256 but no luck.
Yes, I only changed the certificate.

Here is the configuration loading programmatically:
SAMLConfiguration tenantOneSamlConfiguration = new SAMLConfiguration();

tenantOneSamlConfiguration.LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration
{
Name = "https://tenant-one.com",
AssertionConsumerServiceUrl = "~/Sso/SAML/AssertionConsumerService",
LocalCertificateFile = "domain-certificate.pfx",
LocalCertificatePassword = "Password for that pfx"
};

tenantOneSamlConfiguration.AddPartnerIdentityProvider(new PartnerIdentityProviderConfiguration
{
Name = "http://sts.mmasood.com/adfs/services/trust",
SignAuthnRequest = true,
WantSAMLResponseSigned = false,
WantAssertionSigned = true,
WantAssertionEncrypted = true,
UseEmbeddedCertificate = true,
SingleSignOnServiceUrl = "https://sts.mmasood.com/adfs/ls/"
});

SAMLController.Configurations["tenant-1"] = tenantOneSamlConfiguration;

I am using latest dll.

Thanks,
Muhammad Masood
mmasood
mmasood
New Member
New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)

Group: Awaiting Activation
Posts: 31, Visits: 73
ComponentSpace - Monday, June 20, 2016
Is it definitely SHA-1?
Is the only change the certificate specified in ADFS and in the SP's SAML configuration?
Could you send me a section of your SAML configuration where you specify partner identity provider?
What version of the SAML2 DLL are you using?

Hi,

Additional info, I am using wild card certificate.

Thanks,
Muhammad Masood
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
A wild carded certificate is fine.
It may be something to do with the cryptographic service provider specified by the private key.
Please take a look at the code in the following forum post.
http://www.componentspace.com/Forums/1565/SHA256-and-Cryptographic-Service-Provider-Types
If you run this code on your certificate, what is the provider name and type?
It may be that it doesn't support signature generation.

Regards
ComponentSpace Development
mmasood
mmasood
New Member
New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)

Group: Awaiting Activation
Posts: 31, Visits: 73
ComponentSpace - Monday, June 20, 2016
A wild carded certificate is fine.
It may be something to do with the cryptographic service provider specified by the private key.
Please take a look at the code in the following forum post.
http://www.componentspace.com/Forums/1565/SHA256-and-Cryptographic-Service-Provider-Types
If you run this code on your certificate, what is the provider name and type?
It may be that it doesn't support signature generation.

After running that code I got below:


Thanks,
Muhammad Masood
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The Microsoft RSA SChannel Cryptographic Provider supports SHA-1 signatures but not SHA-256.
In the latest release (v2.6.0.14) of the SAML2 DLL we now default to SHA-256 signatures in keeping with the general move to SHA-256.
For SHA-1, set the PartnerIdentityProvider.SignatureMethod to "http://www.w3.org/2000/09/xmldsig#rsa-sha1".
Alternatively, if you wanted to use SHA-256, you need to change the PFX to specify the Microsoft Enhanced RSA and AES Cryptographic Provider.
The following forum post explains how to use openssl to do this.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type


Regards
ComponentSpace Development
mmasood
mmasood
New Member
New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)

Group: Awaiting Activation
Posts: 31, Visits: 73
ComponentSpace - Monday, June 20, 2016
The Microsoft RSA SChannel Cryptographic Provider supports SHA-1 signatures but not SHA-256.
In the latest release (v2.6.0.14) of the SAML2 DLL we now default to SHA-256 signatures in keeping with the general move to SHA-256.
For SHA-1, set the PartnerIdentityProvider.SignatureMethod to "http://www.w3.org/2000/09/xmldsig#rsa-sha1".
Alternatively, if you wanted to use SHA-256, you need to change the PFX to specify the Microsoft Enhanced RSA and AES Cryptographic Provider.
The following forum post explains how to use openssl to do this.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type

Thanks for your reply. It works but now in AssertionConsumerService.aspx I am not getting any assertions.

Is there any settings I need to update in adfs?

Thanks,
Muhammad Masood
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Is a SAML response being returned?
If so, what error is occurring?
If not, please take a look at the ADFS WIndows event log for the specific error.

Regards
ComponentSpace Development
mmasood
mmasood
New Member
New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)

Group: Awaiting Activation
Posts: 31, Visits: 73
[quote]
ComponentSpace - Monday, June 20, 2016
Here is the adfs event viewer log:

Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
 at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)

I am using latest dll (but planning to use old version)

Thanks,
Muhammad Masood

GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search