C# SSO SAML的签名XML签名验证(使用sha256)
在windows 2003 server上使用VS 2008和.Net Framework 3.5 为了安全起见,我们使用SAML实现了SSO。我们在服务提供者端工作,验证从客户机系统生成的签名XML SAML Assertuib令牌。 到目前为止,我们遇到的任何签名文档都使用签名算法“rsa-sha1”,但现在我们有了一个新客户,他发送了一个签名算法为“rsa-sha256”的文件,问题开始了C# SSO SAML的签名XML签名验证(使用sha256),c#,.net,saml,sha256,signedxml,C#,.net,Saml,Sha256,Signedxml,在windows 2003 server上使用VS 2008和.Net Framework 3.5 为了安全起见,我们使用SAML实现了SSO。我们在服务提供者端工作,验证从客户机系统生成的签名XML SAML Assertuib令牌。 到目前为止,我们遇到的任何签名文档都使用签名算法“rsa-sha1”,但现在我们有了一个新客户,他发送了一个签名算法为“rsa-sha256”的文件,问题开始了 public static string VerifySignature() { if (m
public static string VerifySignature()
{
if (m_xmlDoc == null)
return "Could not load XMLDocument ";
try
{
XmlNamespaceManager nsm = new XmlNamespaceManager(new NameTable());
nsm.AddNamespace("dsig", SignedXml.XmlDsigNamespaceUrl);
XmlElement sigElt = (XmlElement)m_xmlDoc.SelectSingleNode(
"//dsig:Signature", nsm);
// Load the signature for verification
SignedXml sig = new SignedXml(m_xmlDoc);
sig.LoadXml(sigElt);
if (!sig.CheckSignature())
return "Invalid Signature";
}
catch (Exception ex)
{
return ex.Message;
}
return string.Empty;
}
现在,当我为这个新客户(使用签名算法rsa-sha256h)尝试相同的代码时,这不起作用,我得到错误“无法为提供的签名算法创建SignatureDescription”
在过去的2-3天里,我浏览了很多博客和文章,发现SignedXml不支持sha256。好的但是接下来呢。在提到使用WIF的地方,我也检查并尝试了
我还尝试使用RSAPKCS1 SignatureFormatter的VerifySignature方法。但不确定要传递的两个参数是什么。这符合“简单”但可能不是“解决方案”:)对于我们遇到的少数客户,我们已要求他们将其IdP更改为使用SHA-1签名。他们能够改变它,当他们这样做的时候,它是有效的
不是一个技术解决方案,但它“在现场”起到了作用,所以我想我应该提到它。对于.net 4和更早版本,
我发现,一旦添加了安全性,下面的方法就可以工作了
(注意X509CertificateFinder是我自己的,通过指纹在证书存储中查找签名证书)
//
///验证XmlDocuments签名
///
///带有要验证的签名元素集的saml响应
///如果可以使用证书验证签名,则为True
public bool ValidateX509CertificateSignature(XmlDocument xnlDoc)
{
XmlNodeList XMLSignatures=xnlDoc.GetElementsByTagName(“签名”)http://www.w3.org/2000/09/xmldsig#");
//检查响应或断言是否已签名一次且仅签名一次。
如果(XMLSignatures.Count!=1)返回false;
var signedXmlDoc=新的SignedXml(xnlDoc);
signedXmlDoc.LoadXml((xmlement)XMLSignatures[0]);
var certFinder=new X509CertificateFinder();
var foundCert=certFinder.GetSignatureCertificate();
CryptoConfig.AddAlgorithm(类型(RSAPKCS1SHA256SignatureDescription),”http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”);
返回signedXmlDoc.CheckSignature(foundCert,false);
}
dotnet4.6.2+内置了较新的sha
哈希。对于dotnet 4+,要访问rsa-sha512、rsa-sha384和rsa-sha256,您应该在某处包含此代码
/// <summary>Declare the signature type for rsa-sha512</summary>
public class RsaPkCs1Sha512SignatureDescription : SignatureDescription
{
public RsaPkCs1Sha512SignatureDescription()
{
KeyAlgorithm = typeof(RSACryptoServiceProvider).FullName;
DigestAlgorithm = typeof(SHA512CryptoServiceProvider).FullName;
FormatterAlgorithm = typeof(RSAPKCS1SignatureFormatter).FullName;
DeformatterAlgorithm = typeof(RSAPKCS1SignatureDeformatter).FullName;
}
public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
{
var sigProcessor = (AsymmetricSignatureDeformatter)CryptoConfig.CreateFromName(DeformatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA512");
return sigProcessor;
}
public override AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm key)
{
var sigProcessor =
(AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA512");
return sigProcessor;
}
}
/// <summary>Declare the signature type for rsa-sha384</summary>
public class RsaPkCs1Sha384SignatureDescription : SignatureDescription {
public RsaPkCs1Sha384SignatureDescription()
{
KeyAlgorithm = typeof(RSACryptoServiceProvider).FullName;
DigestAlgorithm = typeof(SHA384CryptoServiceProvider).FullName;
FormatterAlgorithm = typeof(RSAPKCS1SignatureFormatter).FullName;
DeformatterAlgorithm = typeof(RSAPKCS1SignatureDeformatter).FullName;
}
public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
{
var sigProcessor = (AsymmetricSignatureDeformatter) CryptoConfig.CreateFromName(DeformatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA384");
return sigProcessor;
}
public override AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm key)
{
var sigProcessor =
(AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA384");
return sigProcessor;
}
}
/// <summary>Declare the signature type for rsa-sha256</summary>
public class RsaPkCs1Sha256SignatureDescription : SignatureDescription
{
public RsaPkCs1Sha256SignatureDescription()
{
KeyAlgorithm = typeof(RSACryptoServiceProvider).FullName;
DigestAlgorithm = typeof(SHA256CryptoServiceProvider).FullName;
FormatterAlgorithm = typeof(RSAPKCS1SignatureFormatter).FullName;
DeformatterAlgorithm = typeof(RSAPKCS1SignatureDeformatter).FullName;
}
public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
{
var sigProcessor =
(AsymmetricSignatureDeformatter) CryptoConfig.CreateFromName(DeformatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA256");
return sigProcessor;
}
public override AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm key)
{
var sigProcessor =
(AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA256");
return sigProcessor;
}
}
提示:等等。只需将其更新到.NET framework 4.6.01590或更高版本,它将支持多达SHA-512而无需任何代码更改。我的印象是,加密算法是受支持的,因为它支持X509Certificate2对象。sig.CheckSignature(…)方法有一个重载,它接受两个参数,X509Certificate2和bool。您是否尝试过使用它并传递证书和true?请注意,从.NET 4.5开始,您不需要安装任何与.NET 4.0和更早版本不同的第三方库。您只需添加对System.Deployment的引用,并调用System.Security.Cryptography.CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription),RsaSha256Namespace)代码>在流程中执行一次,之后原始问题中的代码将使用SHA256哈希。另请参见'const string RsaSha256Namespace=“”;`。。。。及。。。。。框架4.6.2解决了这个问题,不需要任何额外的代码。@OllieJones-您是否知道您的代码是否会在以后和以后迁移到目标4.6.2时中断?@StephanG我已顺利迁移到4.6.1。我知道4.6.2不再需要这段代码,因为他们添加了新的哈希。请参阅的X509部分。我还没有证实这一事实。我已经有客户拒绝做出改变,叹息。
/// <summary>Declare the signature type for rsa-sha512</summary>
public class RsaPkCs1Sha512SignatureDescription : SignatureDescription
{
public RsaPkCs1Sha512SignatureDescription()
{
KeyAlgorithm = typeof(RSACryptoServiceProvider).FullName;
DigestAlgorithm = typeof(SHA512CryptoServiceProvider).FullName;
FormatterAlgorithm = typeof(RSAPKCS1SignatureFormatter).FullName;
DeformatterAlgorithm = typeof(RSAPKCS1SignatureDeformatter).FullName;
}
public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
{
var sigProcessor = (AsymmetricSignatureDeformatter)CryptoConfig.CreateFromName(DeformatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA512");
return sigProcessor;
}
public override AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm key)
{
var sigProcessor =
(AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA512");
return sigProcessor;
}
}
/// <summary>Declare the signature type for rsa-sha384</summary>
public class RsaPkCs1Sha384SignatureDescription : SignatureDescription {
public RsaPkCs1Sha384SignatureDescription()
{
KeyAlgorithm = typeof(RSACryptoServiceProvider).FullName;
DigestAlgorithm = typeof(SHA384CryptoServiceProvider).FullName;
FormatterAlgorithm = typeof(RSAPKCS1SignatureFormatter).FullName;
DeformatterAlgorithm = typeof(RSAPKCS1SignatureDeformatter).FullName;
}
public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
{
var sigProcessor = (AsymmetricSignatureDeformatter) CryptoConfig.CreateFromName(DeformatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA384");
return sigProcessor;
}
public override AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm key)
{
var sigProcessor =
(AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA384");
return sigProcessor;
}
}
/// <summary>Declare the signature type for rsa-sha256</summary>
public class RsaPkCs1Sha256SignatureDescription : SignatureDescription
{
public RsaPkCs1Sha256SignatureDescription()
{
KeyAlgorithm = typeof(RSACryptoServiceProvider).FullName;
DigestAlgorithm = typeof(SHA256CryptoServiceProvider).FullName;
FormatterAlgorithm = typeof(RSAPKCS1SignatureFormatter).FullName;
DeformatterAlgorithm = typeof(RSAPKCS1SignatureDeformatter).FullName;
}
public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
{
var sigProcessor =
(AsymmetricSignatureDeformatter) CryptoConfig.CreateFromName(DeformatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA256");
return sigProcessor;
}
public override AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm key)
{
var sigProcessor =
(AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);
sigProcessor.SetKey(key);
sigProcessor.SetHashAlgorithm("SHA256");
return sigProcessor;
}
}
CryptoConfig.AddAlgorithm(typeof(RsaPkCs1Sha512SignatureDescription),
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
CryptoConfig.AddAlgorithm(typeof(RsaPkCs1Sha384SignatureDescription),
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha384");
CryptoConfig.AddAlgorithm(typeof(RsaPkCs1Sha256SignatureDescription),
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");