ComponentSpace

Forums



SAMLSignatureException: Failed to generate XML signature. Invalid algorithm specified


SAMLSignatureException: Failed to generate XML signature. Invalid...

Author
Message
ondrod
ondrod
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 9, Visits: 44
Hello, 

We have upated to ComponentSpace.SAML2.dll version 2.8.2.0 from older verion of 2.5.0.20.

This upgrade broke our existing integration, because of :
"SAMLSignatureException: Failed to generate XML signature. Invalid algorithm specified". 

I seen you have covered the topic in forum posts:
    • http://www.componentspace.com/Forums/1623/SAMLSignatureException-Failed-to-generate-XML-signature-Invalid-algorithm-specified
    • http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type?PageIndex=1
    • http://www.componentspace.com/Forums/1565/SHA256-and-Cryptographic-Provider-Types

We were generating self signed certificates for our integrations by code (not using openssl nor makecert),  with Cryptographic Service Provider (CSP) set to "Microsoft Base Cryptographic Provider v1.0", instead of "Microsoft Enhanced RSA and AES Cryptographic Provider". We are using one of SHA256, SHA384 and SHA512 signature algorithms.

I have two questions:
    • Why this was not an issue in version "2.5.0.20"? 
    • Is there any way we can upgrade our already generated certificates to use correct CSP, and do not break existing integrations?

Thank you for the answers.

Best Regards
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
Prior to v2.6.0.13 we defaulted to SHA-1 signatures.
Later versions default to SHA-256 signatures although SHA-1 is still supported.
http://www.componentspace.com/Forums/5316/SHA1-vs-SHA256-XML-signatures

Upgrading your PFX file to the correct CSP should not affect other integrations.
The only change made to the PFX is a property that specifies which CSP to use.
The rest of the PFX, including the private key, remain unchanged.
You can still use the PFX to generate SHA-1 signatures if required.
Also, partner sites with your CER file can continue to use the same CER file.

Regards
ComponentSpace Development
ondrod
ondrod
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 9, Visits: 44
Can you provide an C# example of how to set the CSP for existing X509Certificate2 ?

Thanks
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
I don't believe there's a .NET framework API that supports updating the CSP.
You would have to call into the Windows API through PInvoke.
We don't have any examples of this.

Regards
ComponentSpace Development
ondrod
ondrod
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 9, Visits: 44
Do you have example with makecert or some other console application?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
I suggest taking a look at our Certificate Guide.
http://www.componentspace.com/Forums/7813/Certificate-Guide
The "Generating Self-Signed Certificates" section describes using PowerShell’s New-SelfSignedCertificate cmdlet to generate a self-signed certificate with the correct CSP for SHA-256 signature generation. 

Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
I found the following SO article which describes updating the CSP type in C#.
https://stackoverflow.com/questions/29005876/signedxml-compute-signature-with-sha256


Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
The EncryptedAssertion constructor defaults the symmetric key encryption method to "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" and the data encryption method to "http://www.w3.org/2001/04/xmlenc#aes256-cbc".

What version of the SAML library are you using?

What version of the .NET framework are you using?

Have you tried the same code but specifying the "sp.cer" certificate that we include with the example projects? This will help identify whether the issue is related to your certificate.

If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace









Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search