SAML2 FederationMetadata validation

I was working on a project using a SAML2 FederationMetadata document.  The Xml signature of the document had to be verified.  I had some issues out of the box so I thought I'd document them

"SignatureDescription could not be created for the signature algorithm supplied."

First issue was with the signature using the "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" encryption.  For some reason it's not included in System.Security.Cryptography.Xml.SignedXml so the following class has to be added

    public class RSAPKCS1SHA256SignatureDescription : SignatureDescription
    {
        public RSAPKCS1SHA256SignatureDescription()
        {
            base.KeyAlgorithm = "System.Security.Cryptography.RSACryptoServiceProvider";
            base.DigestAlgorithm = "System.Security.Cryptography.SHA256Managed";
            base.FormatterAlgorithm = "System.Security.Cryptography.RSAPKCS1SignatureFormatter";
            base.DeformatterAlgorithm = "System.Security.Cryptography.RSAPKCS1SignatureDeformatter";
        }

        public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
        {
            AsymmetricSignatureDeformatter asymmetricSignatureDeformatter = (AsymmetricSignatureDeformatter)
                CryptoConfig.CreateFromName(base.DeformatterAlgorithm);
            asymmetricSignatureDeformatter.SetKey(key);
            asymmetricSignatureDeformatter.SetHashAlgorithm("SHA256");
            return asymmetricSignatureDeformatter;
        }
    }
}

Before you create the SignedXml object the Encrytion algorithm has to added to the config
            CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");

            SignedXml signedXml = new SignedXml(metadataXmlDocument);

Some sample code can be found at http://www.copypastecode.com/168417/

Net issue I had was the signedXml.CheckSignature(certificate, false) returning false for valid signed files.  The issue was that the certificate was not in the trusted root certificate store.  Why that matters I'm not sure but the issue went away after I added it.


Print | posted on Friday, July 12, 2013 3:56 PM

Feedback

# re: SAML2 FederationMetadata validation

left by Marko at 3/4/2014 3:23 AM Gravatar
You are a life saver!

# re: SAML2 FederationMetadata validation

left by Helmut at 3/31/2014 3:30 AM Gravatar
Thanks for posting this. I was starting to grow grey hair over this.
Post A Comment
Title:
Name:
Email:
Comment:
Verification: