none
SignedXML.CheckSignature Always Fails RRS feed

  • Question

  • I don't think I posted my original question in the correct forum, so I'm going to close that one and post here.

    I'm currently working on a project which requires the XML posts to be digitally signed. I do not seem to have any luck with getting any test posts from our client to validate with the below code:

    public static bool verifySignature(string xmlData)
    
    {
    
    
    
        XmlDocument theDocument = new XmlDocument();
    
        XmlNodeList nodeList;
    
        SignedXml signedDocument;
    
    
    
        theDocument.PreserveWhitespace = true;
    
        theDocument.LoadXml(xmlData);
    
        signedDocument = new SignedXml(theDocument);
    
    
    
        nodeList = theDocument.GetElementsByTagName(
    
            "ds:Signature");
    
    
    
        signedDocument.LoadXml((XmlElement)nodeList[0]);
    
    
    
         return signedDocument.CheckSignature();
    
    
    
    }
    
    

    The posts are signed using the XML Signature tag with a namespace of "ds". I am simply base64 decoding the post and sending it straight to here without any modifications of whitespace or casing.

    Any help would be greatly appreciated!

    - Jake
    Friday, April 3, 2009 2:06 PM

All replies

  • So what exactly happens? Do you get an error? If so which one? Or is the verifySignature method always returning false?
    Can you post an example value of xmlData that you pass in where you expect to get true but get false?

    MVP XML
    Friday, April 3, 2009 2:21 PM
  • It simply returns false. No fireworks or exceptions that I'm aware of. I'll post a scrubbed post up in a few minutes. Thanks for the help!
    Monday, April 6, 2009 1:16 PM
  • Here's a sample post (it will fail now for sure because I changed some data to fake values). Please keep in mind that this is all base64 encoded right up until I check the signature (when I then decode it without any other modifications). Another assertion that I tested gave me an invalid reference exception, but this one simply returns false.


    <samlp:Response IssueInstant="2009-02-12T20:06:51.658Z" ID="DxwelMilVtxlWhuU4sjX8taaaxo" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    	<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    		Issuer
    	</saml:Issuer>
    	<samlp:Status>
    		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    	</samlp:Status>
    	<saml:Assertion Version="2.0" IssueInstant="2009-02-12T20:06:51.746Z" ID="rXmPjqvtnczkUvznkNOBpL.tu1e" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    		<saml:Issuer>
    			Issuer
    		</saml:Issuer>
    		<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    			<ds:SignedInfo>
    				<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    				<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    				<ds:Reference URI="#rXmPjqvtnczkUvznkNOBpL.tu1e">
    					<ds:Transforms>
    						<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    					</ds:Transforms>
    					<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    					<ds:DigestValue>
    						OmLEVLMkGaRNY1wvreWV71SVM20=
    					</ds:DigestValue>
    				</ds:Reference>
    			</ds:SignedInfo>
    			<ds:SignatureValue>
    				PiJpclYvzOWDNY/LnsDX3RXkMBmA2Xfqv3ctJZa9eEHrJcTtpyQR+8nJDJz+WusmR9wP35H6z8un
    				gLlNRQ5KY6PnjPNMnmEy1nfiRJQD2jPdquZ6Mr4qKzHnYwJzS6R1ZTBUwkllcajfgzuFZXvkJRAn
    				SAEoqoIEU7yn1fek0kI=
    			</ds:SignatureValue>
    			<ds:KeyInfo>
    				<ds:X509Data>
    					<ds:X509Certificate>
    						MIIClTCCAf6gAwIBAgIGAR3VO5kgMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzELMAkG
    						A1UECBMCQ1QxEjAQBgNVBAcTCUZhaXJmaWVsZDEhMB8GA1UEChMYR2VuZXJhbCBFbGVjdHJpYyBD
    						b21wYW55MRgwFgYDVQQLEw9HRSBHSVMgQ29ycHQ1MDgxIDAeBgNVBAMTF2Zzcy5zdGFnZS5nZWNv
    						bXBhbnkuY29tMB4XDTA4MTEyNTE5NTg1MloXDTEwMTEyNTE5NTg1MlowgY0xCzAJBgNVBAYTAlVT
    						MQswCQYDVQQIEwJDVDESMBAGA1UEBxMJRmFpcmZpZWxkMSEwHwYDVQQKExhHZW5lcmFsIEVsZWN0
    						cmljIENvbXBhbnkxGDAWBgNVBAsTD0dFIEdJUyBDb3JwdDUwODEgMB4GA1UEAxMXZnNzLnN0YWdl
    						LmdlY29tcGFueS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM7CP9FlNdLPYof1BtyJ
    						128uYeFHWc0P8eyXZe6AHO2nmL2ZqXpzpDt2xeLGqu+7jakE5Ijr9ePLgyQ+2Up7gUlMVmrklU/i
    						5JU4V0HYFkdDFQQHzcAHI0Y/UStf4iZ1SEYVqPHJECyrXSn8a9N4UoZbvqCmD4ycaY+bCvYgeclv
    						AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEACmch7fvNI8lcL3GIPWNUcx885T+fckKBezncCcxWo0KZ
    						5D3Y23FbFoAyw3ZHMCUC+DCy+9e+OuNC9p3PffYoFpBMbQX9TFf0C5uqxlcip9vbMmDIwEALq4mS
    						tUXvZWyq0JeX196dth4z528OLgO6RvVu260O0v2v2tOOvMbS3Yc=
    					</ds:X509Certificate>
    				</ds:X509Data>
    				<ds:KeyValue>
    					<ds:RSAKeyValue>
    						<ds:Modulus>
    							zsI/0WU10s9ih/UG3InXby5h4UdZzQ/x7Jdl7oAc7aeYvZmpenOkO3bF4saq77uNqQTkiOv148uD
    							JD7ZSnuBSUxWauSVT+LklThXQdgWR0MVBAfNwAcjRj9RK1/iJnVIRhWo8ckQLKtdKfxr03hShlu+
    							oKYPjJxpj5sK9iB5yW8=
    						</ds:Modulus>
    						<ds:Exponent>
    							AQAB
    						</ds:Exponent>
    					</ds:RSAKeyValue>
    				</ds:KeyValue>
    			</ds:KeyInfo>
    		</ds:Signature>
    		<saml:Subject>
    			<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
    				999999500
    			</saml:NameID>
    			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    				<saml:SubjectConfirmationData NotOnOrAfter="2009-02-12T20:11:51.805Z" Recipient="https://www.xyzfortest.com/lms/auth/sso/sso.php"/>
    			</saml:SubjectConfirmation>
    		</saml:Subject>
    		<saml:Conditions NotOnOrAfter="2009-02-12T20:11:51.758Z" NotBefore="2009-02-12T20:01:51.758Z">
    			<saml:AudienceRestriction>
    				<saml:Audience>
    					Audience
    				</saml:Audience>
    			</saml:AudienceRestriction>
    		</saml:Conditions>
    		<saml:AuthnStatement AuthnInstant="2009-02-12T20:06:51.735Z" SessionIndex="rXmPjqvtnczkUvznkNOBpL.tu1e">
    			<saml:AuthnContext>
    				<saml:AuthnContextClassRef>
    					urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
    				</saml:AuthnContextClassRef>
    			</saml:AuthnContext>
    		</saml:AuthnStatement>
    		<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
    			<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="lastname">
    				<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    					User
    				</saml:AttributeValue>
    			</saml:Attribute>
    			<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="firstname">
    				<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    					Test
    				</saml:AttributeValue>
    			</saml:Attribute>
    			<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="uid">
    				<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    					999999500
    				</saml:AttributeValue>
    			</saml:Attribute>
    			<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="mail">
    				<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    					999999500@test.com
    				</saml:AttributeValue>
    			</saml:Attribute>
    		</saml:AttributeStatement>
    	</saml:Assertion>
    </samlp:Response>
    
    Monday, April 6, 2009 1:23 PM
  • I expect the problem comes from formatting the signed document. If you want to be able to format it put

    PreserveWhitespace = false;

    when you format it and verify signature.

    Please note, even this would nt allow you to reformat text fields:

    <DigestValue>3wuqAMFz32gtVvIcoQBwyYhef+I=</DigestValue>

    shouldb't be converted to:

    <DigestValue>
        3wuqAMFz32gtVvIcoQBwyYhef+I=
    </DigestValue>
    Tuesday, April 7, 2009 5:32 PM
  • Well the thing is, what your seeing above (although human-readable) is actually what the base64 decoder gives me. No formatting was done after the document was signed that I am aware of. Regardless, I'll try your suggestion, and thanks for the input!

    - Jake
    Tuesday, April 7, 2009 8:50 PM
  • No luck. Here's the general procedure I'm using in pseudocode:

    inString = base64-encoded XML document;
    outString = Encoding.UTF8.GetString(Convert.FromBase64String(inString);
    
    // load XML document into XMLDocument object
    // load signature block into SignedXML object
    // check signature

    As you can see I'm not making any modifications to the document which I have received. Perhaps I'm not using the proper Encoding class? I have no idea... I'll research this.

    Tuesday, April 7, 2009 9:05 PM
  • Try whether using Encoding.ASCII instead of Encoding.UTF8 works.
    MVP XML
    Wednesday, April 8, 2009 6:06 PM
  • Hi Jake,

    Just refer to How to: Sign XML Documents with Digital Signatures and How to: Verify the Digital Signatures of XML Documents in this scenario. Also it is best option to give your code snippet about how you sign the XML and verify that document with sample XML.

    Riquel
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Thursday, April 9, 2009 9:04 AM
    Moderator
  • Did you get any solution for this. i am also in the same position. my SAML response is also same. could you please help me on this.

    Thanks,
    Ram
    • Proposed as answer by toddcscar Thursday, May 3, 2012 4:46 PM
    • Unproposed as answer by toddcscar Thursday, May 3, 2012 4:46 PM
    Monday, December 14, 2009 3:56 PM
  • I had a similar problem and the following thread, though about a different problem, helped me find the solution.

    http://social.msdn.microsoft.com/Forums/en-GB/Geneva/thread/3d1ffda8-bd1c-427a-b675-286db0044d18

    Most examples in MSDN and on the web show passing the XML document root into the SignedXml.  However, if <Signature> is at a lower level element (child of something else), the CheckSignature will fail when passing in the root document.  In the example above,

    <samlp:Response><saml:Assertion>
    <ds:Signature>
    </ds:Signature>
    </saml:Assertion></samlp:Response>

    Then the sample code then computes/validates the top level Document.  This will fail.

    If you grab the parent Node of the <ds:Signature> (which is the <saml:Assertion> Node) and pass that into SignedXml constructor, the CheckSignature will work.  I am working on a full solution to this problem.  For starters, this code below will work but it is rough and has some duplicated code that I want to get rid of.  It also only works for enveloped Signatures.  I am trying to make it more generic to include enveloping and detached signatures.

    XmlDocument signedDoc = new XmlDocument();
    signedDoc.PreserveWhitespace = true;
    XmlNode signatureNode = doc.SelectSingleNode("//dsig:Signature", nsMgr);
    XmlNode signedNode = signedDoc.ImportNode(signatureNode.ParentNode,true);
    signedDoc.AppendChild(signedNode); 
    SignedXml verifier = new SignedXml(signedDoc);
    XmlNodeList nl = signedDoc.GetElementsByTagName("Signature",SignedXml.XmlDsigNamespaceUrl);
    foreach (XmlNode signNode in nl)
    {
        verifier.LoadXml((XmlElement)signNode);
        if (verifier.CheckSignature(signingKey))
        {
            // SUCCESS
            break;
        }
    }

    • Edited by toddcscar Thursday, May 3, 2012 7:37 PM
    Thursday, May 3, 2012 7:36 PM
  • Hi toddcscar,

    I tried passing in the Assertion element in the SignedXml constructor, but still the CheckSignature(cert, true) call returns false. There are no errors raised, but it just returns false.

    Does the

    PreserveWhitespace = true / false

    has any effect on the behaviour of this...I think the answer is yes, but still want to confirm. And what should be the value of "PreserveWhitespace" kept during signing and during verification?

    Thanks.

    Regards,

    Bugs!


    -Bugs!

    Monday, May 21, 2012 5:36 AM
  • I have the same problem when i try to validate de siganture in xml document. I read a lot of it, maybe is an incompatibility in the .net framework version, the programs that run in version less than 3.5 works fine, but other greaters version doesn't work. If somebody have a other idea or solution please tell us.

    thanks

    Wednesday, December 24, 2014 3:08 PM
  • +1

    Yes, solved the problem for me once.

    Thursday, June 6, 2019 9:58 AM