none
How to check the signature for a signed XML document with SHA256? RRS feed

  • Question

  • Seems that SignedXml.CheckSignature is working fine only for signed documents using SHA1.

    I tried this code by adding the algorithm SHA256, and the CheckSignature worked fine but the WIF classes started throwing the following exception:

    System.Security.Cryptography.CryptographicException: Invalid algorithm specified. In this method call System.IdentityModel.Services.FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest

    Seems that the ProcessSignInRequest uses the algorithm SHA1 which has been overridden internally here:

    CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), 
                              "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
    

    What did I miss? How can I specify the algorithm in CheckSignature?

    Wednesday, June 3, 2015 7:55 AM

Answers

All replies

  • Hello hom_rcp,

    >> but the WIF classes started throwing the following exception:

    If possible, please share some code with us, because from your provided link, it does not associate with the WIF class.

    >> What did I miss? How can I specify the algorithm in CheckSignature?

    It is confused that I noticed that you mention the CheckSignature method works and now you ask how to specify the algorithm in CheckSignature.

    As far as I know, the SHA256 is not supported by default, a registered action in the code is needed just like the register code in your provided link and here is a thread containing a detail discussion about it: https://social.msdn.microsoft.com/Forums/vstudio/en-US/6438011b-92fb-4123-a22f-ad071efddf85/xml-digital-signature-with-sha256-algorithm

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, June 4, 2015 3:02 AM
    Moderator
  • Hi,

    Thanks for answering my question. I will try to clarify it more. In my project, I have a WIF STS and a SAML 2.0 SP (Federation Provider). 

    Both of them, signing tokens in the STS, and verifying the SAML2.0 tokens, are working fine with SHA1.

    The problem appears when I started receiving SAML2.0 token signed using an SHA256 hash algorithm. In this case, the CheckSignature in System.Security.Cryptography.Xml.SignedXml class stopped working.

    I found a solution on the internet by defining the algorithm SHA256 in my application.

    CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");

    it worked fine but the WIF classes stopped working and started giving the exception "Invalid algorithm specified.".

    I want now to sign and verify WIF tokens using SHA256. and still beign compatible with verifying SHA1 signed tokens.

    I hope it is more clear now. 


    • Edited by hom_rcp Thursday, June 4, 2015 8:01 AM
    Thursday, June 4, 2015 7:34 AM
  • Hello hom_rcp,

    >>it worked fine but the WIF classes stopped working and started giving the exception "Invalid algorithm specified."

    For this, now we have a change to debug the source code according to this blog: http://blogs.msdn.com/b/dotnet/archive/2014/02/24/a-new-look-for-net-reference-source.aspx

    >>I want now to sign and verify WIF tokens using SHA256. and still beign compatible with verifying SHA1 signed tokens.

    If the WIF tokens you mean are SMAL 2.0 format, you could check these links:

    Working with SHA-256 and Verifying SAML XML with Certificate Information Extracted from a Metadata XML

    Friday, June 5, 2015 6:31 AM