none
How to correctly apply SHA256 to an Assertion? RRS feed

  • Question

  • Hi,

    I have following VB.NET code to apply a X509Certifcate to an Assertion:

    Imports System.Xml
    Imports System.Security
    Imports System.Security.Cryptography
    Imports System.Security.Cryptography.Xml
    Imports System.Security.Cryptography.X509Certificates
    Imports System.Deployment.Internal.CodeSigning
    Imports System.Security.Permissions
    
    Public Class Form2
        Inherits System.Windows.Forms.Form
    
        <SecurityPermission(SecurityAction.LinkDemand, Unrestricted:=True)> _
        Private Sub SignWithCerButton_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles SignWithCerButton.Click
            ' Variables
            Dim bResult As Boolean = False
            Dim pCertContext As IntPtr = IntPtr.Zero
            Dim key As RSA = Nothing
            Dim doc As XmlDocument = Nothing
            Dim signedXml As SignedXml = Nothing
            Dim reference As Reference = Nothing
            Dim trns As XmlDsigC14NTransform = Nothing
            Dim env As XmlDsigEnvelopedSignatureTransform = Nothing
            Dim keyInfo As KeyInfo = Nothing
            Dim xmlDigitalSignature As XmlElement = Nothing
            Dim cert As X509Certificate2 = Nothing
    
            Dim store As X509Store = New X509Store(StoreName.My, StoreLocation.CurrentUser)
            store.Open(OpenFlags.OpenExistingOnly)
            For Each c As X509Certificate2 In store.Certificates
                'If c.FriendlyName = "Digicert wildcard" Then
                cert = c
                Exit For
                'End If
            Next c
    
            'Added code for sha256 - results in invalid signature
            CryptoConfig.AddAlgorithm(GetType(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")
            Dim cspParams As CspParameters = New CspParameters(24)
            Dim rsaKey As RSACryptoServiceProvider = New RSACryptoServiceProvider(cspParams)
            key = rsaKey
    
            'key = cert.PrivateKey
    
            ' Create a new XML document.
            doc = New XmlDocument
    
            ' Format using white spaces.
            doc.PreserveWhitespace = True
    
            ' Load the passed XML.
            doc.LoadXml(TextBox2.Text)
    
            ' Create a SignedXml object.
            signedXml = New SignedXml(doc)
    
            ' Add the key to the SignedXml document.
            signedXml.SigningKey = key
    
            signedXml.SignedInfo.CanonicalizationMethod = signedXml.XmlDsigExcC14NTransformUrl
    
            'Change signature method to sha256 - results in error
            signedXml.SignedInfo.SignatureMethod = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
    
            ' Create a reference to be signed.
            reference = New Reference
            reference.Uri = "#LEPs4XhrP6yA8MAo4TMSErC.fZQ"
    
            ' Add a transformation to the reference.
            trns = New XmlDsigC14NTransform
            reference.AddTransform(trns)
    
            ' Add an enveloped transformation to the reference.
            env = New XmlDsigEnvelopedSignatureTransform
            reference.AddTransform(env)
    
            ' Add the reference to the SignedXml object.
            signedXml.AddReference(reference)
    
            ' Add an RSAKeyValue KeyInfo (optional; helps recipient find key to validate).
            keyInfo = New KeyInfo
            keyInfo.AddClause(New KeyInfoX509Data(cert))
            keyInfo.AddClause(New RSAKeyValue(CType(key, RSA)))
    
            ' Add the KeyInfo object to the SignedXml object.
            signedXml.KeyInfo = keyInfo
    
            ' Compute the signature.
            signedXml.ComputeSignature()
    
            ' Get the XML representation of the signature and save
            ' it to an XmlElement object.
            xmlDigitalSignature = signedXml.GetXml()
    
            ' Append the element to the XML document.
            Dim manager As XmlNamespaceManager = New XmlNamespaceManager(doc.NameTable)
            manager.AddNamespace("samlp", "urn:oasis:names:tc:SAML:2.0:protocol")
            manager.AddNamespace("saml", "urn:oasis:names:tc:SAML:2.0:assertion")
    
            Dim curNode As XmlNode = doc.SelectSingleNode("/samlp:Response/saml:Assertion", manager)
            curNode.InsertAfter(xmlDigitalSignature, curNode.ChildNodes(1))
    
            ' Show the signature
            ToVerifyTextbox.Text = doc.OuterXml
        End Sub

    The message to encode is:

    <samlp:Response Version="2.0" ID="SZ-ahA2zg-UAe7lvkKXjbnv9Qwv" IssueInstant="2017-03-07T16:15:42.822Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">fakecompany.entity.id</saml:Issuer>
    <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion ID="LEPs4XhrP6yA8MAo4TMSErC.fZQ" IssueInstant="2017-03-07T16:15:42.824Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>fakecompany.entity.id</saml:Issuer>
    <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">123456</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData Recipient="https://sauth.infoarmor.com" NotOnOrAfter="2017-03-07T16:16:42.824Z" />
    </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2017-03-07T16:14:42.824Z" NotOnOrAfter="2017-03-07T16:16:42.824Z" >
    <saml:AudienceRestriction>
                    <saml:Audience>https://sauth.infoarmor.com</saml:Audience>
    </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement SessionIndex="LEPs4XhrP6yA8MAo4TMSErC.fZQ" AuthnInstant="2017-03-07T16:15:42.824Z" >
    <saml:AuthnContext>
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
    </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
    <saml:Attribute Name="company" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" >
                    <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >456</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="type" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname format:basic" >
    <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">employeeid</saml:AttributeValue>
    </saml:Attribute>
    </saml:AttributeStatement>
    </saml:Assertion>
    </samlp:Response>

    ---

    After encoding the output is:

    <samlp:Response Version="2.0" ID="SZ-ahA2zg-UAe7lvkKXjbnv9Qwv" IssueInstant="2017-03-07T16:15:42.822Z" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">fakecompany.entity.id</saml:Issuer>
    <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion ID="LEPs4XhrP6yA8MAo4TMSErC.fZQ" IssueInstant="2017-03-07T16:15:42.824Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>fakecompany.entity.id</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#LEPs4XhrP6yA8MAo4TMSErC.fZQ"><Transforms><Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>m5Hb9mAE9uFos92mJuZBU78Xxo4=</DigestValue></Reference></SignedInfo><SignatureValue>oaQwQiTmquyTbql6TpzYaEwlc9upii5oORVle5UckJoOJNfF2F45SVxJSr582M0aemutPTuOJ3urbrZekzMcebfObQeCIZh2eaijyU+FgzRXdetA0zIfjlPzeeNPK3ei2JFuesmyheSlZo3ZVSVfyyTBQMYNLqUx8vzSKhhYk/8=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDCDCCAfCgAwIBAgIQNCY7wqavvLhMuadKH0lgDDANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZwdmFybWEwIBcNMTQwNTA3MTcxODQ1WhgPMjExNDA0MTMxNzE4NDVaMBExDzANBgNVBAMTBnB2YXJtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTKtnrPdlECqFZGh+eIj+BGdz6zrj0CFapliVDvM5ZWocefqep55YSP1pwy+FayL7OtlTCGG2sllwNTxhPNsZyKwmh17g9PjEsmMXMaDsriC84FfOaj/KIi2ZAvyoO67V8ZIwEG16FEFHSmWadjuiX6w9BTRmkLCdMylz/nVk3r/xec1jn73ucVquzPcNXj2lSITCfg8vQPzGJvA6sAjcowmnBJ9MPbY4/an7Si04Cc3r4ZEiYevlkk4uCymvXEFQCrytbg0b9gg/sIZKwJf+HhHWm4dCtUwSEhzuWlBdHAg5T/BCDZ6028xzj8Jb5IRmwWa2J1P4tuSJAj1oVDK7sCAwEAAaNaMFgwFQYDVR0lBA4wDAYKKwYBBAGCNwoDBDA0BgNVHREELTAroCkGCisGAQQBgjcUAgOgGwwZUFZhcm1hQHNhZmVmaW5hbmNpYWwuY29tADAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQBw1Ezol39z08wCljAzilSNWE5AsXMWk2yezCO7E8dqAWMDUN6BdhmJNkrMkHeP3xToZEOvPRy8q2NfVeQbrdTWMB+xpqUxIp14aW5IvP7nCepyk8n5R5uHG3eeVF2ps2XEsSQisZcUyDNk4xct1XMz3ZoJNAtOP3mCwG533WnhIcAivIB1e/Lj/sgkr1Au+MQ3ypFV/iqgDMQCvS1CJfcZj4HUY2/wxuTIjy8oNa3Kqlpn3P0RDNhiO//uUZZszZmdnVOL38qeYbMFt/8iPFx42xNzxGALo3Ecm+S0rzmhHgX0cDFo7Y9v/r0M1PcsDP8kbBi7mSs7yjE/IzVLGY4l</X509Certificate></X509Data><KeyValue><RSAKeyValue><Modulus>5OnpBrGGIq3paJwdizKz2Lm8HCoNT7Mm/meI+yCKN/Zw0ZAbQdLcfeVT3eMBH0YiepCkRGUK3ztzK2Nrbphe7yRLGo9Np74bL1+BgYqQWTUoG1//ekXNHsNTcD1Eg5XEyCpmbcradT1XvOqCpNGawKMhmLkN0k4U/KLejJG8NEk=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature>
    <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">123456</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData Recipient="https://sauth.infoarmor.com" NotOnOrAfter="2017-03-07T16:16:42.824Z" />
    </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2017-03-07T16:14:42.824Z" NotOnOrAfter="2017-03-07T16:16:42.824Z">
    <saml:AudienceRestriction>
                    <saml:Audience>https://sauth.infoarmor.com</saml:Audience>
    </saml:AudienceRestriction>
            </saml:Conditions>
            <saml:AuthnStatement SessionIndex="LEPs4XhrP6yA8MAo4TMSErC.fZQ" AuthnInstant="2017-03-07T16:15:42.824Z">
    <saml:AuthnContext>
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
    </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
    <saml:Attribute Name="company" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                    <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">456</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="type" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname format:basic">
    <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">employeeid</saml:AttributeValue>
    </saml:Attribute>
    </saml:AttributeStatement>
    </saml:Assertion>
    </samlp:Response>

    ----------

    I need the line "<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />" to reflect sha256 instead of sh1:

    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />

    ----------------

    The Service Provider expects something like:

    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />

    ---------

    How do I get the sha256 Algorithm value please?

    Is this the correct User Forum to post this question? Please let me know otherwise.

    Thank you.


    piyush varma


    Tuesday, December 19, 2017 5:58 PM

All replies

  • Hi,

    Add reference "System.Deployment" into your project, to use CryptoConfig.AddAlgorithm Method.

    using System.Deployment.Internal.CodeSigning;
    CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
    Check:https://blogs.msdn.microsoft.com/winsdk/2015/11/14/using-sha256-with-the-signedxml-class/

    Sincerely,

    Bob



    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, December 20, 2017 8:23 AM