none
Signed XML signature verification for SSO SAML (Using sha256) RRS feed

  • Question

  • Hello,

    Using VS 2008 with .Net Framework 3.5 on windows 2003 server.

    We have implemented SSO with SAML for security. We work at service provider end where we validate the Signed XML SAML Assertuib token generated from client's system.
    As of now whatever signed documents we came across were using the Signature Algorithm "rsa-sha1", but now we have new customer who sends a file with the signature algorithm as "rsa-sha256" and here is the problem started.

    I am not having any background on either on web security or on SSO SAML :( but I have a look at the current implementation and it is as below -   

    public static string VerifySignature()
            {
                if (m_xmlDoc == null)
                    return "Could not load XMLDocument ";

                try
                {
                    XmlNamespaceManager nsm = new XmlNamespaceManager(new NameTable());
                    nsm.AddNamespace("dsig", SignedXml.XmlDsigNamespaceUrl);
                    XmlElement sigElt = (XmlElement)m_xmlDoc.SelectSingleNode(
                        "//dsig:Signature", nsm);

                    // Load the signature for verification
                    SignedXml sig = new SignedXml(m_xmlDoc);
                    sig.LoadXml(sigElt);

                    if (!sig.CheckSignature())
                        return "Invalid Signature";
                }
                catch (Exception ex)
                {
                    return ex.Message;
                }
                return string.Empty;
            }

     Please note: NO CERTIFICATE USED IN THIS CODE.

    Now, when I try the same code for this new customer (with signature algorithm rsa-sha256h) - this is not working and I am getting the error "SignatureDescription could not be created for the signature algorithm supplied."

    Going through many blogs and articles in last 2-3 days, I came to know that SignedXml does not support sha256. Fine. But what next. There are different solutions provided but nothing is straight forward and on top of it "AS A NOVICE" I am not able to understand much out of it. Somewhere its mentioned that use the WIF, I have also checked & tried http://clrsecurity.codeplex.com/wikipage?title=Security.Cryptography.RSAPKCS1SHA256SignatureDescription&referringTitle=Home&ProjectName=clrsecurity

    Can anyone help with kind of simple solution :) ? Thanks in advance for any help.


    "An investment in knowledge pays the best interest." - Ben Franklin

    Wednesday, May 22, 2013 10:19 AM

Answers

All replies