ComponentSpace

Forums



Using old version with recent installation of .net framework 4.7.2


Using old version with recent installation of .net framework 4.7.2

Author
Message
ndenny
ndenny
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 4
We are using version 2.5.0.8 with a sha2 cert to sign saml 2.0 messages.
This has worked for years across different windows and .net framework versions, up to and INCLUDING 4.6.1.

We use the low level saml implementation on a DotNetNuke site, which requires us to install .net framework 4.7.2.
Since doing this in our dev environment, we now get an error using the same cert and code we were using before.
Note that we didn't change the code at all - it is still compiled for .net framework 4.5.2, which has worked for more than a year on the previous version (.net framework 4.6.1).

SAMLAssertionSignature.Generate(xmlSamlAssertion, cert.PrivateKey, cert);

Error Message (this doesn't really tell me anything)
Message:Failed to generate XML signature.

StackTrace:
InnerMessage:Failed to generate XML signature.
InnerStackTrace:
 at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
 at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2Collection x509Certificates, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
 at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
 at ComponentSpace.SAML2.Assertions.SAMLAssertionSignature.Generate(XmlElement xmlElement, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
 at ComponentSpace.SAML2.Assertions.SAMLAssertionSignature.Generate(XmlElement xmlElement, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate)
 at SAMLPost()

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
It could be a permissions error accessing the PFX file or the private key container.

Please refer to:

https://www.componentspace.com/Forums/29/Troubleshooting-Loading-X509-Certificates

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.



Regards
ComponentSpace Development
ndenny
ndenny
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 4
I am having our ops team check permissions on the cert.

Any possibility one of these breaking changes from 4.5.2 to 4.7.2 is causing the issue.

I checked the cert, but I am not trying to switch to sha-256 signatures from sha-1 signatures - the code hasn't changed.

X509Certificate2.ToString(Boolean) does not throw now when .NET cannot handle the certificate
Details
In .NET Framework 4.5.2 and earlier versions, this method would throw if true was passed for the verbose parameter and there were certificates installed that weren't supported by the .NET Framework. Now, the method will succeed and return a valid string that omits the inaccessible portions of the certificate.

Suggestion
Any code depending on X509Certificate2.ToString(Boolean) should be updated to expect that the returned string may exclude some certificate data (such as public key, private key, and extensions) in some cases in which the API would have previously thrown.

SUGGESTION
NameValue
ScopeEdge
Version4.6
TypeRuntime

RSACng.VerifyHash now returns False for any verification failure
Details
Starting with the .NET Framework 4.6.2, this method returns False if the signature itself is badly formatted. It now returns false for any verification failure.In the .NET Framework 4.6 and 4.6.1, the method throws a System.Security.Cryptography.CryptographicException if the signature itself is badly formatted.

Suggestion
Any code whose execution depends on handling the System.Security.Cryptography.CryptographicException should instead execute if validation fails and the method returns False.

SUGGESTION
NameValue
ScopeMinor
Version4.6.2
TypeRuntime
Affected APIs
RSACng.VerifyHash(Byte[], Byte[], HashAlgorithmName, RSASignaturePadding)

SignedXml and EncryptedXml Breaking Changes
Details
In .NET Framework 4.6.2, security fixes in System.Security.Cryptography.Xml.SignedXml and System.Security.Cryptography.Xml.EncryptedXml lead to different run-time behaviors. For example:

If a document has multiple elements with the same id attribute and a signature targets one of those elements as the root of the signature, the document will now be considered invalid.
Documents using non-canonical XPath transform algorithms in references are now considered invalid.
Documents using non-canonical XSLT transform algorithms in references are now consider invalid.
Any program making use of external resource detached signatures will be unable to do so.
Suggestion
Developers might want to review the usage of XmlDsigXsltTransform and XmlDsigXsltTransform, as well as types derived from Transform since a document receiver may not be able to process it.

SUGGESTION
NameValue
ScopeMinor
Version4.6.2
TypeRuntime
Affected APIs
System.Security.Cryptography.Xml.Transform
System.Security.Cryptography.Xml.XmlDsigXPathTransform
System.Security.Cryptography.Xml.XmlDsigXsltTransform

WCF PipeConnection.GetHashAlgorithm now uses SHA256
Details
Starting with the .NET Framework 4.7.1, Windows Communication Foundation uses a SHA256 hash to generate random names for named pipes. In the .NET Framework 4.7 and earlier versions, it used a SHA1 hash.

Suggestion
If you run into compatibility issue with this change on the .NET Framework 4.7.1 or later, you can opt-out it by adding the following line to the <runtime> section of your app.config file:

XML

Copy
<configuration>
<runtime>
  <AppContextSwitchOverrides value="Switch.System.ServiceModel.UseSha1InPipeConnectionGetHashAlgorithm=true" />
</runtime>
</configuration>
NameValue
ScopeMinor
Version4.7.1
TypeRuntime

Web Applications
"dataAnnotations:dataTypeAttribute:disableRegEx" app setting is on by default in .NET Framework 4.7.2
Details
In .NET Framework 4.6.1, an app setting (&quot;dataAnnotations:dataTypeAttribute:disableRegEx&quot;) was introduced that allows users to disable the use of regular expressions in data type attributes (such as System.ComponentModel.DataAnnotations.EmailAddressAttribute, System.ComponentModel.DataAnnotations.UrlAttribute, and System.ComponentModel.DataAnnotations.PhoneAttribute). This helps to reduce security vulnerability such as avoiding the possibility of a Denial of Service attack using specific regular expressions.
In .NET Framework 4.6.1, this app setting to disable RegEx usage was set to false by default. Starting with .NET Framework 4.7.2, this config switch is set to true by default to further reduce secure vulnerability for web applications that target .NET Framework 4.7.2 and above.

Suggestion
If you find that regular expressions in your web application do not work after upgrading to .NET Framework 4.7.2, you can update the value of the &quot;dataAnnotations:dataTypeAttribute:disableRegEx&quot; setting to false to revert to the previous behavior.

XML

Copy
<configuration>
<appSettings>
...
<add key="dataAnnotations:dataTypeAttribute:disableRegEx" value="false"/>
...
</appSettings>
</configuration>
NameValue
ScopeMinor
Version4.7.2
TypeRuntime

Reflection objects can no longer be passed from managed code to out-of-process DCOM clients
Details
Reflection objects can no longer be passed from managed code to out-of-process DCOM clients. The following types are affected:
System.Reflection.Assembly
System.Reflection.MemberInfo (and its derived types, including System.Reflection.FieldInfo, System.Reflection.MethodInfo, System.Type, and System.Reflection.TypeInfo)
System.Reflection.MethodBody
System.Reflection.Module
System.Reflection.ParameterInfo
Calls to IMarshal for the object return E_NOINTERFACE.
Suggestion
Update marshaling code to work with non-reflection objects.
SUGGESTION
NameValue
ScopeMinor
Version4.6
TypeRuntime
Affected APIs
System.Reflection.Assembly
System.Reflection.FieldInfo
System.Reflection.MemberInfo
System.Reflection.MethodBody
System.Reflection.MethodInfo
System.Reflection.Module
System.Reflection.ParameterInfo
System.Reflection.TypeInfo
System.Type

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I don't think any of those .NET framework changes are applicable.

I still suspect a permission error with the PFX file.

If you could email us a log file, it might show more information. 

Regards
ComponentSpace Development
ndenny
ndenny
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 4
ComponentSpace - 9/8/2021
I don't think any of those .NET framework changes are applicable.

I still suspect a permission error with the PFX file.

If you could email us a log file, it might show more information. 

It isn't cert permissions. Something else using the same account can use the cert without issue.
I tried running the trace as recommended and got an error.
The type initializer for 'ComponentSpace.SAML2.Utility.Diagnostics' threw an exception.
 at ComponentSpace.SAML2.Utility.Diagnostics.Verbose(Exception exception)
 at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
 at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2Collection x509Certificates, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
 at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
 at ComponentSpace.SAML2.Assertions.SAMLAssertionSignature.Generate(XmlElement xmlElement, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)
 at ComponentSpace.SAML2.Assertions.SAMLAssertionSignature.Generate(XmlElement xmlElement, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate)
 at localmethod()

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Was anything written to the log file?

The type initializer calls Diagnostics.Verbose to log the product version number and some environment information.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search