Unable to validate digitally signed XML document

Jul 14 2011 6:32 AM

Hi All,

I have got a digitally signed XML document from client an trying to validate it. I am using the Windows 2008 server R2 environment .

In this xml file the response I am getting is with Signature algorithm sha256
ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"

I created a digitally signed xml on my local machine. It is showing the digital signature with sha1 algorithm.
SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"

I am able to validate this file using the code I have with me.
But facing problems with client generated sha256 algorithm xml file.

I am getting the error: "SignatureDescription could not be created for the signature algorithm supplied."
I tried with various posts explaining how to validate a SAML Response but unable to get the solution.
Please suggest how I could validate this file with ds:SignatureMethod Algorithm of sha256.
------------------------------------
Here is XML file that I am able to validate:
------------------------------------
<MyElement xmlns="samples">
Example text to be signed.<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>zSI5ZAMmQ+8u7R2rP7aAPT6nNQw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>sroeP57d2oEGG/vWyXNgwtVHRD6FgJPlTObOLETuh7rzCDoTHZnk9iQzZnmYg4JPLrGpZ6Ii0zBV5TQnir6ye6B4lKdIliQ7/MBIb/w1rzj37PyfjIQhOtuHDMzehvHbBm9HOd3Q3x+jWhkQlIuDiEkxyN5MECJjg1YSXCOY+pk=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICIzCCAYygAwIBAgIQfIzmGyaIj6BHKoXsXkPnsTANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDHhgAWABNAEwARABTAEkARwBfAFQAZQBzAHQwHhcNMDQxMjMxMTgzMDAwWhcNMDkxMjMxMTgzMDAwWjAjMSEwHwYDVQQDHhgAWABNAEwARABTAEkARwBfAFQAZQBzAHQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL+hg6AnrxZssR5x2WQOC/lvzIvKtfNRgOTUCohdsZUIQADDRNVU5rF97X8huKyqHmsJdq9tuPMPJpEkXgcynBhw9uLaQp4zEOUDOS2Z/WhAASf8InFGufEjqtU2mDvDcZa6ABAMjbKSFWFYaJ9jzo6O30ADwfaxmG1Pf5WmS5YfAgMBAAGjWDBWMFQGA1UdAQRNMEuAEKywDpG6PDEdbJMg6SJ1gWqhJTAjMSEwHwYDVQQDHhgAWABNAEwARABTAEkARwBfAFQAZQBzAHSCEHyM5hsmiI+gRyqF7F5D57EwDQYJKoZIhvcNAQEEBQADgYEAPF8qOEbM+64kt+sfRtZFMCw2b4QjF2GefKpqzYol37VAdjOvoE3OMRGInQLXPf5fqPY1DLTy83zbK3A31U2UJI5RiPyAJHQQxHmKGntyo/TyGGOXZy0qtq/+ETQl1QsD0Agwvlgd9GaMK5V6/U5RrldYP2G3nQDOt8+cek/FBps=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</MyElement>
------------------------------------
Client file( unable to validate):I have changed some of information from XML for security reasons.
------------------------------------
<samlp:Response ID="_9sdsddsaAAsada" Version="2.0" IssueInstant="2011-06-28T15:45:13.424Z" Destination="https://test.abc.com/abc/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://mydomain.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_7a4" IssueInstant="2011-06-28T15:45:13.424Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://mydomain.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_testxyz12345">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>tpyyynxxyyyYsk55Gh83D5kFsTgE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>1kWJzznFjd4F6A/ij4TdsqfXgsTN0QJ8dfshjsdjfsds njfjsdfsdjfdsfa3OvkUSYJ0iYznPmdOKD8SeTKuJfxOuUVKMoBMO6xHR48ywnRbzWIduP/p+G4Tcw/qT5Ka84aKEpA3nJLHAEEN4HsLVhQWD6jS852kyjPQIBmEGxG3Ya5TwU/vWg6budcVTXQ/vln+DhVhYEnR69CtUSp6eyIJb9rqV+HtUmz6djRN+1MB+80DQC8K4V4vW3YUiNGglZyXmF5g==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>BDDkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTodsadhydfgdbhshc5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMTAzMDQxMzU1NDZaFw0xMzA1MDQxNzMwMDJaMHwxCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtDb25uZWN0aWN1dDESMBAGA1UEBxMJTmV3aW5ndG9uMQwwCgYDVQQKEwNVVEMxDDAKBgNVBAsTA1VUQzEnMCUGA1UEAxMeYWRmc3N0YWdldG9rZW4uZnMxYS51dGNkbXouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oNT/9ainRH//98SVcIL0a8pYQm8QCK7duG0iP1Y1fU9DhKwyh18EmpflHQwlrDTzz+7yxVE79fI3D1WokkpMipG8t9Zt9u21NrMUhtb5zVUGxFk5arHZpbCmBjmNtCjjZ9AAgw/ys09Cggpo6cG4zwjtrmL9cAooapxQr/orLEChNU+XZZe47cPerfl/4Ih5MJCsXSIbE0r1wOqLDqSj2n6cJp/IXVKKz5Z4pF3PlxH3c2XWwUGpNohHPjLsG/1WN3nOMo3ljQFtqmLgmH9Pg/z/1MLMuhs4zx+fZabpQO9B1qAxgPHuowPTZPM914iDvku8ncfVuW2Ww8uH8jz/wIDAQABo4IBHTCCARkwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDBABgNVHSAEOTA3MDUGCSqGSIb2fQdLAjAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAfBgNVHSMEGDAWgBQe8auJBvhJDwEzd+4Ueu4ZfJMoTTAdBgNVHQ4EFgQUNc2mj8QIq+JJ5tR1h9PdyoPdWmowCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEATp2vdECO6vslLbz/cKkHtSqJOym9/5t4PU68TbbBQDJwac4GRAA5NAjZ8NGaNgO7VYZAAWpd9MPcNcDo4+4kaX0UJXx6BQhfCRQLfUV2HuqNkK76DSuGsi8Q/jHb+hR/lJ0kfjopuTlU7SKT7bRmlqF01bSa09Ifds1ujgiWCBSiKDTvj5SgUW/m/TNHtKUs/KppPsIkFRJFNBiKdL6KJR2Kt6VoxfzYmAKr9WDVVj9gSM4mUpRKF1X3C7ZiHAUgNM3xSCfETK774+1g0zEjQjL04bJXPt8m8MQMmRuhm05Nsl7VumBGcwoosKPthYTrBwawen6aZhqrWstwVWs7Dw==</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">SWESTKIR</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2011-06-28T15:50:13.424Z" Recipient="https://testRecipient.test.com/abc/" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2011-06-28T15:45:13.416Z" NotOnOrAfter="2011-06-28T16:45:13.416Z">
<AudienceRestriction>
<Audience>https://Audience.test.com/abc/</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.xmlsoap.org/claims/CommonName" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>efs</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>apple</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>cap</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue> </AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<AttributeValue>[email protected]</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2011-06-28T15:45:09.805Z" SessionIndex="_5a4fd-4aba-4660-a136-80rr1b4c378">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>

Here is my code:
------------------------------------
Code to sign a XML:
------------------------------------
// Sign an XML file and save the signature in a new file.
public static void SignXmlFile(string FilePath, string SignedFileNamePath, string SubjectName)
{
// Load the certificate from the certificate store.
X509Certificate2 cert = GetCertificateBySubject(SubjectName);
// Create a new XML document.
XmlDocument doc = new XmlDocument();

// Format the document to ignore white spaces.
doc.PreserveWhitespace = false;

// Load the passed XML file using it's name.
doc.Load(FilePath);
// Create a SignedXml object.
SignedXml signedXml = new SignedXml(doc);
// Add the key to the SignedXml document.
signedXml.SigningKey = cert.PrivateKey;
// Create a reference to be signed.
Reference reference = new Reference();
reference.Uri = "";
// Add an enveloped transformation to the reference.
XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);
// Add the reference to the SignedXml object.
signedXml.AddReference(reference);
// Create a new KeyInfo object.
KeyInfo keyInfo = new KeyInfo();
// Load the certificate into a KeyInfoX509Data object
// and add it to the KeyInfo object.
keyInfo.AddClause(new KeyInfoX509Data(cert));
// Add the KeyInfo object to the SignedXml object.
signedXml.KeyInfo = keyInfo;
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation of the signature and save
// it to an XmlElement object.
XmlElement xmlDigitalSignature = signedXml.GetXml();
// Append the element to the XML document.
doc.DocumentElement.AppendChild(doc.ImportNode(xmlDigitalSignature, true));
if (doc.FirstChild is XmlDeclaration)
{
doc.RemoveChild(doc.FirstChild);
}
// Save the signed XML document to a file specified
// using the passed string.
using (XmlTextWriter xmltw = new XmlTextWriter(SignedFileNamePath, new UTF8Encoding(false)))
{
doc.WriteTo(xmltw);
xmltw.Close();
}
}
------------------------------------
Code to verify signed XML:
------------------------------------
public static bool isValidSignature(String xmlFilePath, String CertificatePath)
{
// Load the certificate from the store.
X509Certificate2 cert = GetCertificateByFile(CertificatePath);
// Create a new XML document.
XmlDocument xmlDocument = new XmlDocument();
// Load the passed XML file into the document.
xmlDocument.Load(xmlFilePath);
// Create a new SignedXml object and pass it
// the XML document class.
SignedXml signedXml = new SignedXml(xmlDocument);
// Find the "Signature" node and create a new
// XmlNodeList object.
XmlNodeList nodeList = xmlDocument.GetElementsByTagName("Signature");
// Handling Signature and ds:Signature temporarily
if (nodeList.Count == 0)
{
nodeList = xmlDocument.GetElementsByTagName("ds:Signature");
}
// Load the signature node.
signedXml.LoadXml((XmlElement)nodeList[0]);
// Check the signature and return the result.
return signedXml.CheckSignature(cert, true);
}
This signedXml.CheckSignature(cert, true); gives the exception: "System.Security.Cryptography.CrytographicException"
with message: "SignatureDescription could not be created for the signature algorithm supplied"
when using the client XML with ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"

------------------------------------
public static X509Certificate2 GetCertificateByFile(string certificatePath)
{
X509Certificate2 x509 = new X509Certificate2();
//Create X509Certificate2 object from .cer file.
byte[] rawData = ReadFile(certificatePath);
x509.Import(rawData);
return x509;
}
------------------------------------
//Reads a file.
internal static byte[] ReadFile(string fileName)
{
FileStream f = new FileStream(fileName, FileMode.Open, FileAccess.Read);
int size = (int)f.Length;
byte[] data = new byte[size];
size = f.Read(data, 0, size);
f.Close();
return data;
}
------------------------------------
Thanks in advance

Culture into of Date Time Format

Which controls I should use to make website?

sunil sharma

Unable to validate digitally signed XML document

Answers (0)