SSO SAML的签名XML签名验证(使用sha256) [英] Signed XML signature verification for SSO SAML (Using sha256)
问题描述
在Windows 2003 Server上将VS 2008与.Net Framework 3.5一起使用.
Using VS 2008 with .Net Framework 3.5 on windows 2003 server.
为了安全起见,我们已经使用SAML实施了SSO.我们在服务提供商端工作,在此我们验证从客户端系统生成的Signed XML SAML Assertuib令牌.到目前为止,我们遇到的所有签名文档都使用签名算法"rsa-sha1",但是现在我们有新客户发送带有签名算法"rsa-sha256"的文件,这就是问题所在.
We have implemented SSO with SAML for security. We work at service provider end where we validate the Signed XML SAML Assertuib token generated from client's system. As of now whatever signed documents we came across were using the Signature Algorithm "rsa-sha1", but now we have new customer who sends a file with the signature algorithm as "rsa-sha256" and here is the problem started.
public static string VerifySignature()
{
if (m_xmlDoc == null)
return "Could not load XMLDocument ";
try
{
XmlNamespaceManager nsm = new XmlNamespaceManager(new NameTable());
nsm.AddNamespace("dsig", SignedXml.XmlDsigNamespaceUrl);
XmlElement sigElt = (XmlElement)m_xmlDoc.SelectSingleNode(
"//dsig:Signature", nsm);
// Load the signature for verification
SignedXml sig = new SignedXml(m_xmlDoc);
sig.LoadXml(sigElt);
if (!sig.CheckSignature())
return "Invalid Signature";
}
catch (Exception ex)
{
return ex.Message;
}
return string.Empty;
}
现在,当我为这个新客户(使用签名算法rsa-sha256h)尝试相同的代码时-这不起作用,并且出现错误无法为提供的签名算法创建SignatureDescription."
Now, when I try the same code for this new customer (with signature algorithm rsa-sha256h) - this is not working and I am getting the error "SignatureDescription could not be created for the signature algorithm supplied."
在过去2-3天内浏览了许多博客和文章,我知道SignedXml不支持sha256.美好的.但是接下来呢.在提到使用WIF的地方,我还检查了&已尝试此.
Going through many blogs and articles in last 2-3 days, I came to know that SignedXml does not support sha256. Fine. But what next. Somewhere its mentioned that use the WIF, I have also checked & tried this.
我还试图使用RSAPKCS1SignatureDeformatter的VerifySignature方法.但不确定要传递的两个参数是什么.
I am also trying to use RSAPKCS1SignatureDeformatter's VerifySignature method. But not really sure what are the two parameters to be passed.
推荐答案
Dotnet 4.6.2+具有内置的更新的 sha 哈希.对于dotnet 4+,要访问rsa-sha512,rsa-sha384和rsa-sha256,您应该在某个地方包含此代码.
Dotnet 4.6.2+ has the newer sha hashes built in. For dotnet 4 +, to get access to rsa-sha512, rsa-sha384, and rsa-sha256, you should include this code someplace.
/// <summary>Declare the signature type for rsa-sha512</summary>
public class RsaPkCs1Sha512SignatureDescription : SignatureDescription
{
public RsaPkCs1Sha512SignatureDescription()
{
KeyAlgorithm = typeof(RSACryptoServiceProvider).FullName;
DigestAlgorithm = typeof(SHA512CryptoServiceProvider).FullName;
FormatterAlgorithm = typeof(RSAPKCS1SignatureFormatter).FullName;
DeformatterAlgorithm = typeof(RSAPKCS1SignatureDeformatter).FullName;
}
public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
{
var sigProcessor = (AsymmetricSignatureDeformatter)CryptoConfig.CreateFromName(DeformatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA512");
return sigProcessor;
}
public override AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm key)
{
var sigProcessor =
(AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA512");
return sigProcessor;
}
}
/// <summary>Declare the signature type for rsa-sha384</summary>
public class RsaPkCs1Sha384SignatureDescription : SignatureDescription {
public RsaPkCs1Sha384SignatureDescription()
{
KeyAlgorithm = typeof(RSACryptoServiceProvider).FullName;
DigestAlgorithm = typeof(SHA384CryptoServiceProvider).FullName;
FormatterAlgorithm = typeof(RSAPKCS1SignatureFormatter).FullName;
DeformatterAlgorithm = typeof(RSAPKCS1SignatureDeformatter).FullName;
}
public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
{
var sigProcessor = (AsymmetricSignatureDeformatter) CryptoConfig.CreateFromName(DeformatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA384");
return sigProcessor;
}
public override AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm key)
{
var sigProcessor =
(AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA384");
return sigProcessor;
}
}
/// <summary>Declare the signature type for rsa-sha256</summary>
public class RsaPkCs1Sha256SignatureDescription : SignatureDescription
{
public RsaPkCs1Sha256SignatureDescription()
{
KeyAlgorithm = typeof(RSACryptoServiceProvider).FullName;
DigestAlgorithm = typeof(SHA256CryptoServiceProvider).FullName;
FormatterAlgorithm = typeof(RSAPKCS1SignatureFormatter).FullName;
DeformatterAlgorithm = typeof(RSAPKCS1SignatureDeformatter).FullName;
}
public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
{
var sigProcessor =
(AsymmetricSignatureDeformatter) CryptoConfig.CreateFromName(DeformatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA256");
return sigProcessor;
}
public override AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm key)
{
var sigProcessor =
(AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA256");
return sigProcessor;
}
}
然后,您应该通过调用这样的代码来激活这些信号描述.您只需要调用一次,因此您可以根据需要从静态构造函数中调用它.
Then, you should activate these sig descriptions by calling code like this. You only need to call it once, so you can call it from a static constructor if you wish.
CryptoConfig.AddAlgorithm(typeof(RsaPkCs1Sha512SignatureDescription),
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
CryptoConfig.AddAlgorithm(typeof(RsaPkCs1Sha384SignatureDescription),
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha384");
CryptoConfig.AddAlgorithm(typeof(RsaPkCs1Sha256SignatureDescription),
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
提示 BitSchupster和安德鲁
Tip o' the hat to Microsoft's Carlos Lopez and BitSchupster and Andrew on SO.
这篇关于SSO SAML的签名XML签名验证(使用sha256)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
