I have got a digitally signed XML document from client an trying to validate it. I am using the Windows 2008 server R2 environment .
In this xml file the response I am getting is with Signature algorithm sha256
ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
I created a digitally signed xml on my local machine. It is showing the digital signature with sha1 algorithm.
SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
I am able to validate this file using the code I have with me.
But facing problems with client generated sha256 algorithm xml file.
I am getting the error: “SignatureDescription could not be created for the signature algorithm supplied.”
I tried with various posts explaining how to validate a SAML Response but unable to get the solution.
Please suggest how I could validate this file with ds:SignatureMethod Algorithm of sha256.
------------------------------------
Here is XML file that I am able to validate:
------------------------------------
Expand|Select|Wrap|Line Numbers
- <MyElement xmlns="samples">
- Example text to be signed.<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
- <SignedInfo>
- <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
- <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
- <Reference URI="">
- <Transforms>
- <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
- </Transforms>
- <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
- <DigestValue>zSI5ZAMmQ+8u7R2rP7aAPT6nNQw=</DigestValue>
- </Reference>
- </SignedInfo>
- <SignatureValue>sroeP57d2oEGG/vWyXNgwtVHRD6FgJPlTObOLETuh7rzCDoTHZnk9iQzZnmYg4JPLrGpZ6Ii0zBV5TQnir6ye6B4lKdIliQ7/MBIb/w1rzj37PyfjIQhOtuHDMzehvHbBm9HOd3Q3x+jWhkQlIuDiEkxyN5MECJjg1YSXCOY+pk=</SignatureValue>
- <KeyInfo>
- <X509Data>
- <X509Certificate>MIICIzCCAYygAwIBAgIQfIzmGyaIj6BHKoXsXkPnsTANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDHhgAWABNAEwARABTAEkARwBfAFQAZQBzAHQwHhcNMDQxMjMxMTgzMDAwWhcNMDkxMjMxMTgzMDAwWjAjMSEwHwYDVQQDHhgAWABNAEwARABTAEkARwBfAFQAZQBzAHQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL+hg6AnrxZssR5x2WQOC/lvzIvKtfNRgOTUCohdsZUIQADDRNVU5rF97X8huKyqHmsJdq9tuPMPJpEkXgcynBhw9uLaQp4zEOUDOS2Z/WhAASf8InFGufEjqtU2mDvDcZa6ABAMjbKSFWFYaJ9jzo6O30ADwfaxmG1Pf5WmS5YfAgMBAAGjWDBWMFQGA1UdAQRNMEuAEKywDpG6PDEdbJMg6SJ1gWqhJTAjMSEwHwYDVQQDHhgAWABNAEwARABTAEkARwBfAFQAZQBzAHSCEHyM5hsmiI+gRyqF7F5D57EwDQYJKoZIhvcNAQEEBQADgYEAPF8qOEbM+64kt+sfRtZFMCw2b4QjF2GefKpqzYol37VAdjOvoE3OMRGInQLXPf5fqPY1DLTy83zbK3A31U2UJI5RiPyAJHQQxHmKGntyo/TyGGOXZy0qtq/+ETQl1QsD0Agwvlgd9GaMK5V6/U5RrldYP2G3nQDOt8+cek/FBps=</X509Certificate>
- </X509Data>
- </KeyInfo>
- </Signature>
- </MyElement>
Client file( unable to validate):I have changed some of information from XML for security reasons.
------------------------------------
Expand|Select|Wrap|Line Numbers
- <samlp:Response ID="_9sdsddsaAAsada" Version="2.0" IssueInstant="2011-06-28T15:45:13.424Z" Destination="https://test.abc.com/abc/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
- <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://mydomain.com/adfs/services/trust</Issuer>
- <samlp:Status>
- <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
- </samlp:Status>
- <Assertion ID="_7a4" IssueInstant="2011-06-28T15:45:13.424Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
- <Issuer>http://mydomain.com/adfs/services/trust</Issuer>
- <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:SignedInfo>
- <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
- <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
- <ds:Reference URI="#_testxyz12345">
- <ds:Transforms>
- <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
- <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
- </ds:Transforms>
- <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
- <ds:DigestValue>tpyyynxxyyyYsk55Gh83D5kFsTgE=</ds:DigestValue>
- </ds:Reference>
- </ds:SignedInfo>
- <ds:SignatureValue>1kWJzznFjd4F6A/ij4TdsqfXgsTN0QJ8dfshjsdjfsds njfjsdfsdjfdsfa3OvkUSYJ0iYznPmdOKD8SeTKuJfxOuUVKMoBMO6xHR48ywnRbzWIduP/p+G4Tcw/qT5Ka84aKEpA3nJLHAEEN4HsLVhQWD6jS852kyjPQIBmEGxG3Ya5TwU/vWg6budcVTXQ/vln+DhVhYEnR69CtUSp6eyIJb9rqV+HtUmz6djRN+1MB+80DQC8K4V4vW3YUiNGglZyXmF5g==</ds:SignatureValue>
- <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
- <ds:X509Data>
- <ds:X509Certificate>BDDkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTodsadhydfgdbhshc5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMTAzMDQxMzU1NDZaFw0xMzA1MDQxNzMwMDJaMHwxCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtDb25uZWN0aWN1dDESMBAGA1UEBxMJTmV3aW5ndG9uMQwwCgYDVQQKEwNVVEMxDDAKBgNVBAsTA1VUQzEnMCUGA1UEAxMeYWRmc3N0YWdldG9rZW4uZnMxYS51dGNkbXouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oNT/9ainRH//98SVcIL0a8pYQm8QCK7duG0iP1Y1fU9DhKwyh18EmpflHQwlrDTzz+7yxVE79fI3D1WokkpMipG8t9Zt9u21NrMUhtb5zVUGxFk5arHZpbCmBjmNtCjjZ9AAgw/ys09Cggpo6cG4zwjtrmL9cAooapxQr/orLEChNU+XZZe47cPerfl/4Ih5MJCsXSIbE0r1wOqLDqSj2n6cJp/IXVKKz5Z4pF3PlxH3c2XWwUGpNohHPjLsG/1WN3nOMo3ljQFtqmLgmH9Pg/z/1MLMuhs4zx+fZabpQO9B1qAxgPHuowPTZPM914iDvku8ncfVuW2Ww8uH8jz/wIDAQABo4IBHTCCARkwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDBABgNVHSAEOTA3MDUGCSqGSIb2fQdLAjAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAfBgNVHSMEGDAWgBQe8auJBvhJDwEzd+4Ueu4ZfJMoTTAdBgNVHQ4EFgQUNc2mj8QIq+JJ5tR1h9PdyoPdWmowCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEATp2vdECO6vslLbz/cKkHtSqJOym9/5t4PU68TbbBQDJwac4GRAA5NAjZ8NGaNgO7VYZAAWpd9MPcNcDo4+4kaX0UJXx6BQhfCRQLfUV2HuqNkK76DSuGsi8Q/jHb+hR/lJ0kfjopuTlU7SKT7bRmlqF01bSa09Ifds1ujgiWCBSiKDTvj5SgUW/m/TNHtKUs/KppPsIkFRJFNBiKdL6KJR2Kt6VoxfzYmAKr9WDVVj9gSM4mUpRKF1X3C7ZiHAUgNM3xSCfETK774+1g0zEjQjL04bJXPt8m8MQMmRuhm05Nsl7VumBGcwoosKPthYTrBwawen6aZhqrWstwVWs7Dw==</ds:X509Certificate>
- </ds:X509Data>
- </KeyInfo>
- </ds:Signature>
- <Subject>
- <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">SWESTKIR</NameID>
- <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
- <SubjectConfirmationData NotOnOrAfter="2011-06-28T15:50:13.424Z" Recipient="https://testRecipient.test.com/abc/" />
- </SubjectConfirmation>
- </Subject>
- <Conditions NotBefore="2011-06-28T15:45:13.416Z" NotOnOrAfter="2011-06-28T16:45:13.416Z">
- <AudienceRestriction>
- <Audience>https://Audience.test.com/abc/</Audience>
- </AudienceRestriction>
- </Conditions>
- <AttributeStatement>
- <Attribute Name="http://schemas.xmlsoap.org/claims/CommonName" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
- <AttributeValue>efs</AttributeValue>
- </Attribute>
- <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
- <AttributeValue>apple</AttributeValue>
- </Attribute>
- <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
- <AttributeValue>cap</AttributeValue>
- </Attribute>
- <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
- <AttributeValue> </AttributeValue>
- </Attribute>
- <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
- <AttributeValue>test@testApp.com</AttributeValue>
- </Attribute>
- </AttributeStatement>
- <AuthnStatement AuthnInstant="2011-06-28T15:45:09.805Z" SessionIndex="_5a4fd-4aba-4660-a136-80rr1b4c378">
- <AuthnContext>
- <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
- </AuthnContext>
- </AuthnStatement>
- </Assertion>
- </samlp:Response>
------------------------------------
Code to sign a XML:
------------------------------------
Expand|Select|Wrap|Line Numbers
- // Sign an XML file and save the signature in a new file.
- public static void SignXmlFile(string FilePath, string SignedFileNamePath, string SubjectName)
- {
- // Load the certificate from the certificate store.
- X509Certificate2 cert = GetCertificateBySubject(SubjectName);
- // Create a new XML document.
- XmlDocument doc = new XmlDocument();
- // Format the document to ignore white spaces.
- doc.PreserveWhitespace = false;
- // Load the passed XML file using it's name.
- doc.Load(FilePath);
- // Create a SignedXml object.
- SignedXml signedXml = new SignedXml(doc);
- // Add the key to the SignedXml document.
- signedXml.SigningKey = cert.PrivateKey;
- // Create a reference to be signed.
- Reference reference = new Reference();
- reference.Uri = "";
- // Add an enveloped transformation to the reference.
- XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
- reference.AddTransform(env);
- // Add the reference to the SignedXml object.
- signedXml.AddReference(reference);
- // Create a new KeyInfo object.
- KeyInfo keyInfo = new KeyInfo();
- // Load the certificate into a KeyInfoX509Data object
- // and add it to the KeyInfo object.
- keyInfo.AddClause(new KeyInfoX509Data(cert));
- // Add the KeyInfo object to the SignedXml object.
- signedXml.KeyInfo = keyInfo;
- // Compute the signature.
- signedXml.ComputeSignature();
- // Get the XML representation of the signature and save
- // it to an XmlElement object.
- XmlElement xmlDigitalSignature = signedXml.GetXml();
- // Append the element to the XML document.
- doc.DocumentElement.AppendChild(doc.ImportNode(xmlDigitalSignature, true));
- if (doc.FirstChild is XmlDeclaration)
- {
- doc.RemoveChild(doc.FirstChild);
- }
- // Save the signed XML document to a file specified
- // using the passed string.
- using (XmlTextWriter xmltw = new XmlTextWriter(SignedFileNamePath, new UTF8Encoding(false)))
- {
- doc.WriteTo(xmltw);
- xmltw.Close();
- }
- }
Code to verify signed XML:
------------------------------------
Expand|Select|Wrap|Line Numbers
- public static bool isValidSignature(String xmlFilePath, String CertificatePath)
- {
- // Load the certificate from the store.
- X509Certificate2 cert = GetCertificateByFile(CertificatePath);
- // Create a new XML document.
- XmlDocument xmlDocument = new XmlDocument();
- // Load the passed XML file into the document.
- xmlDocument.Load(xmlFilePath);
- // Create a new SignedXml object and pass it
- // the XML document class.
- SignedXml signedXml = new SignedXml(xmlDocument);
- // Find the "Signature" node and create a new
- // XmlNodeList object.
- XmlNodeList nodeList = xmlDocument.GetElementsByTagName("Signature");
- // Handling Signature and ds:Signature temporarily
- if (nodeList.Count == 0)
- {
- nodeList = xmlDocument.GetElementsByTagName("ds:Signature");
- }
- // Load the signature node.
- signedXml.LoadXml((XmlElement)nodeList[0]);
- // Check the signature and return the result.
- return signedXml.CheckSignature(cert, true);
- }
with message: “SignatureDescription could not be created for the signature algorithm supplied”
when using the client XML with ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
------------------------------------
Expand|Select|Wrap|Line Numbers
- public static X509Certificate2 GetCertificateByFile(string certificatePath)
- {
- X509Certificate2 x509 = new X509Certificate2();
- //Create X509Certificate2 object from .cer file.
- byte[] rawData = ReadFile(certificatePath);
- x509.Import(rawData);
- return x509;
- }
Expand|Select|Wrap|Line Numbers
- //Reads a file.
- internal static byte[] ReadFile(string fileName)
- {
- FileStream f = new FileStream(fileName, FileMode.Open, FileAccess.Read);
- int size = (int)f.Length;
- byte[] data = new byte[size];
- size = f.Read(data, 0, size);
- f.Close();
- return data;
- }
Thanks in advance