SAML 1.1断言的SignedXml.CheckSignature失败 [英] SignedXml.CheckSignature fails for SAML 1.1 Assertion

问题描述

这个主题似乎有几个帖子，但是没有一个提供描述性的解决方案。我的代码非常简单：我使用代码生成SAML 1.1断言：

There seems to be several posts on this topic, however none of them providing a descriptive solution. My code is very simple: I am generating a SAML 1.1 assertion using the code:

X509AsymmetricSecurityKey

X509AsymmetricSecurityKey

 

signingKey = new
X509AsymmetricSecurityKey （x509Certificate）;

signingKey = new X509AsymmetricSecurityKey(x509Certificate);

 

//这里我们创建一些SAML断言ID和发卡行名称。

 

SamlAssertion 断言=
new
SamlAssertion （）;

SamlAssertion assertion = new SamlAssertion();

assertion.AssertionId =

assertion.AssertionId =

" _" +
Guid .NewGuid（）。ToString（）;

"_" + Guid.NewGuid().ToString();

assertion.Issuer =

assertion.Issuer =

" www.tokenissuer.net" ;

"www.tokenissuer.net";

 

< span style ="color：＃008000; font-size：x-small"> //不在之前，不在条件之后

assertion.Conditions =

assertion.Conditions =

new
SamlConditions （ DateTime 。现在，
DateTime 。Now.AddMinutes（60））;

new SamlConditions(DateTime.Now, DateTime.Now.AddMinutes(60));

 

//创建一些SAML主题。

 

SamlSubject samlSubject =
new
SamlSubject （）;

SamlSubject samlSubject = new SamlSubject();

samlSubject.Name =

samlSubject.Name =

" e_pref.csi.client" ;

"e_pref.csi.client";

samlSubject.ConfirmationMethods.Add（

samlSubject.ConfirmationMethods.Add(

" urn：oasis：names：tc ：SAML：1.0：cm：sender-vouches" ）;

"urn:oasis:names:tc:SAML:1.0:cm:sender-vouches");

 

 

SamlAuthenticationStatement samlAuthenticationStatement =
new
SamlAuthenticationStatement （）;

SamlAuthenticationStatement samlAuthenticationStatement = new SamlAuthenticationStatement();

samlAuthenticationStatement.AuthenticationInstant =

samlAuthenticationStatement.AuthenticationInstant =

DateTime 。现在;

DateTime.Now;

samlAuthenticationStatement.AuthenticationMethod =

samlAuthenticationStatement.AuthenticationMethod =

" urn：oasis：names：tc：SAML：1.0：am：password" ;

"urn:oasis:names:tc:SAML:1.0:am:password";

samlAuthenticationStatement.SamlSubject = samlSubject;

samlAuthenticationStatement.SamlSubject = samlSubject;

assertion.Statements.Add（samlAuthenticationStatement）;

assertion.Statements.Add(samlAuthenticationStatement);

assertion.SigningCredentials =

assertion.SigningCredentials =

new
SigningCredentials （signingKey，
SecurityAlgorithms 。RsaSha1Signature，
SecurityAlgorithms 。Sha1Digest）;

new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha1Signature, SecurityAlgorithms.Sha1Digest);

 

//从提供的断言创建SamlSecurityToken

 

SamlSecurityToken samlToken =
new
SamlSecurityToken （断言）;

SamlSecurityToken samlToken = new SamlSecurityToken(assertion);

 

// System.ServiceModel.Security.WSSecurityTokenSerializer ser = new System.ServiceModel.Security.WSSecurityTokenSerializer（）;

 

SecurityTokenHandlerCollectionManager mgr =
SecurityTokenHandlerCollectionManager 。CreateDefaultSecurityTokenHandlerCollectionManager（）;

SecurityTokenHandlerCollectionManager mgr = SecurityTokenHandlerCollectionManager.CreateDefaultSecurityTokenHandlerCollectionManager();

 

SecurityTokenHandlerCollection sthc = mgr.SecurityTokenHandlerCollections.First（）;

SecurityTokenHandlerCollection sthc = mgr.SecurityTokenHandlerCollections.First();

 

SecurityTokenSerializer ser =
new
SecurityTokenSerializerAdapter （sthc）;

SecurityTokenSerializer ser = new SecurityTokenSerializerAdapter(sthc);

 

XmlWriterSettings settings =
new
XmlWriterSettings （）

XmlWriterSettings settings = new XmlWriterSettings()

{

编码=

编码 。UTF8，

Encoding.UTF8,

缩进=

true ，

true,

OmitXmlDeclaration =

OmitXmlDeclaration =

true ，

true,

CloseOutput =

CloseOutput =

true

};

 

StringBuilder sb =
new
StringBuilder （）;

StringBuilder sb = new StringBuilder();

 

XmlWriter innerWriter =
XmlWriter 。创建（sb，设置）;

XmlWriter innerWriter = XmlWriter.Create(sb, settings);

ser.WriteToken（innerWriter，samlToken）;

ser.WriteToken(innerWriter, samlToken);

 

返回 sb.ToString（）;

 

然后当我尝试使用以下方式验证此令牌时：

SignedXml

SignedXml

 

signedXml = new
SignedXml （Doc）;
// Doc.LoadXml（令牌）用于加载从上一个方法返回的令牌

signedXml = new SignedXml(Doc); // Doc.LoadXml(token) is used to load the token returned from the previous method

 

//找到"签名"节点并创建一个新的

 

// XmlNodeList对象。

 

XmlNodeList nodeList = Doc.GetElementsByTagName（ " ds：签名" ）;

XmlNodeList nodeList = Doc.GetElementsByTagName("ds:Signature");

 

//如果没有找到签名，则抛出异常。

 

if （nodeList.Count< = 0）

if (nodeList.Count <= 0)

{

 

throw
new
CryptographicException （ "验证
失败：在文档中未找到签名。" ）;

throw new CryptographicException("Verification failed: No Signature was found in the document.");

}

 

//此示例仅支持 的一个签名

// This example only supports one signature for

 

//整个XML文档。抛出异常

 

//如果找到多个签名。

 

if （nodeList.Count> = 2）

if (nodeList.Count >= 2)

{

 

throw
new
CryptographicException （ "验证
失败：找到更多的文档签名。" ）;

throw new CryptographicException("Verification failed: More that one signature was found for the document.");

}

 

//加载第一个< signature>节点。

signedXml.LoadXml（（

signedXml.LoadXml((

XmlElement ）nodeList [0]）;

XmlElement)nodeList[0]);

 

//检查签名并返回结果。

 

return signedXml.CheckSignature（x509Certificate.PrivateKey）;

我总是假的。有人能指出我在这里可能缺少的东西吗？只是为了给你一点历史，我需要生成此SAML并通过WS Security标头将其发送到Java服务

问候，

Sandeep

 

推荐答案

错误是什么？如果您无法使用WS Sec进行检查，试试这个
SAML lib 。更多信息请访问
SAML 博客。

What is the error? If you cannot use WS Sec to check, try this SAML lib . More information are at this SAML blog .

这篇关于SAML 1.1断言的SignedXml.CheckSignature失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！