Forum guidelines
  • Home
  • »
  • .NET 5.0
  • »
  • Unable to validate digitally signed XML document
AuthorQuestion
Unable to validate digitally signed XML document
Posted By sunil sharma on 14 Jul 2011
Hi All,

I have got  a  digitally signed XML document from client an trying to validate it. I am using the Windows 2008 server R2 environment .

In this xml file the response I am getting  is with Signature algorithm sha256
 ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"

I created a digitally signed xml on my local machine. It is  showing the digital signature with sha1 algorithm.
SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"

I am able to validate this file using the code I have with me.
But facing problems with client generated sha256 algorithm xml file.

I am getting the error: "SignatureDescription could not be created for the signature algorithm supplied."
I tried with various posts explaining how to  validate a  SAML Response but unable to  get the solution.
Please suggest how I could validate this file with ds:SignatureMethod Algorithm of sha256.
------------------------------------
Here is XML file that I am able to validate:
------------------------------------
<MyElement xmlns="samples">
  Example text to be signed.<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <
SignedInfo>
  <
CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
  <
SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
  <
Reference URI="">
  <
Transforms>
  <
Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
  </
Transforms>
  <
DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <
DigestValue>zSI5ZAMmQ+8u7R2rP7aAPT6nNQw=</DigestValue>
  </
Reference>
  </
SignedInfo>
  <
SignatureValue>sroeP57d2oEGG/vWyXNgwtVHRD6FgJPlTObOLETuh7rzCDoTHZnk9iQzZnmYg4JPLrGpZ6Ii0zBV5TQnir6ye6B4lKdIliQ7/MBIb/w1rzj37PyfjIQhOtuHDMzehvHbBm9HOd3Q3x+jWhkQlIuDiEkxyN5MECJjg1YSXCOY+pk=</SignatureValue>
  <
KeyInfo>
  <
X509Data>
  <
X509Certificate>MIICIzCCAYygAwIBAgIQfIzmGyaIj6BHKoXsXkPnsTANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDHhgAWABNAEwARABTAEkARwBfAFQAZQBzAHQwHhcNMDQxMjMxMTgzMDAwWhcNMDkxMjMxMTgzMDAwWjAjMSEwHwYDVQQDHhgAWABNAEwARABTAEkARwBfAFQAZQBzAHQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL+hg6AnrxZssR5x2WQOC/lvzIvKtfNRgOTUCohdsZUIQADDRNVU5rF97X8huKyqHmsJdq9tuPMPJpEkXgcynBhw9uLaQp4zEOUDOS2Z/WhAASf8InFGufEjqtU2mDvDcZa6ABAMjbKSFWFYaJ9jzo6O30ADwfaxmG1Pf5WmS5YfAgMBAAGjWDBWMFQGA1UdAQRNMEuAEKywDpG6PDEdbJMg6SJ1gWqhJTAjMSEwHwYDVQQDHhgAWABNAEwARABTAEkARwBfAFQAZQBzAHSCEHyM5hsmiI+gRyqF7F5D57EwDQYJKoZIhvcNAQEEBQADgYEAPF8qOEbM+64kt+sfRtZFMCw2b4QjF2GefKpqzYol37VAdjOvoE3OMRGInQLXPf5fqPY1DLTy83zbK3A31U2UJI5RiPyAJHQQxHmKGntyo/TyGGOXZy0qtq/+ETQl1QsD0Agwvlgd9GaMK5V6/U5RrldYP2G3nQDOt8+cek/FBps=</X509Certificate>
  </
X509Data>
  </
KeyInfo>
  </
Signature>
</
MyElement>
------------------------------------
Client file( unable to validate):I have changed some of information from XML for security reasons.
------------------------------------
<samlp:Response ID="_9sdsddsaAAsada" Version="2.0" IssueInstant="2011-06-28T15:45:13.424Z" Destination="https://test.abc.com/abc/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <
Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://mydomain.com/adfs/services/trust</Issuer>
  <
samlp:Status>
  <
samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </
samlp:Status>
  <
Assertion ID="_7a4" IssueInstant="2011-06-28T15:45:13.424Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
  <
Issuer>http://mydomain.com/adfs/services/trust</Issuer>
  <
ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <
ds:SignedInfo>
  <
ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  <
ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
  <
ds:Reference URI="#_testxyz12345">
  <
ds:Transforms>
  <
ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
  <
ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  </
ds:Transforms>
  <
ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
  <
ds:DigestValue>tpyyynxxyyyYsk55Gh83D5kFsTgE=</ds:DigestValue>
  </
ds:Reference>
  </
ds:SignedInfo>
  <
ds:SignatureValue>1kWJzznFjd4F6A/ij4TdsqfXgsTN0QJ8dfshjsdjfsds njfjsdfsdjfdsfa3OvkUSYJ0iYznPmdOKD8SeTKuJfxOuUVKMoBMO6xHR48ywnRbzWIduP/p+G4Tcw/qT5Ka84aKEpA3nJLHAEEN4HsLVhQWD6jS852kyjPQIBmEGxG3Ya5TwU/vWg6budcVTXQ/vln+DhVhYEnR69CtUSp6eyIJb9rqV+HtUmz6djRN+1MB+80DQC8K4V4vW3YUiNGglZyXmF5g==</ds:SignatureValue>
  <
KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  <
ds:X509Data>
  <
ds:X509Certificate>BDDkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTodsadhydfgdbhshc5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMTAzMDQxMzU1NDZaFw0xMzA1MDQxNzMwMDJaMHwxCzAJBgNVBAYTAlVTMRQwEgYDVQQIEwtDb25uZWN0aWN1dDESMBAGA1UEBxMJTmV3aW5ndG9uMQwwCgYDVQQKEwNVVEMxDDAKBgNVBAsTA1VUQzEnMCUGA1UEAxMeYWRmc3N0YWdldG9rZW4uZnMxYS51dGNkbXouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oNT/9ainRH//98SVcIL0a8pYQm8QCK7duG0iP1Y1fU9DhKwyh18EmpflHQwlrDTzz+7yxVE79fI3D1WokkpMipG8t9Zt9u21NrMUhtb5zVUGxFk5arHZpbCmBjmNtCjjZ9AAgw/ys09Cggpo6cG4zwjtrmL9cAooapxQr/orLEChNU+XZZe47cPerfl/4Ih5MJCsXSIbE0r1wOqLDqSj2n6cJp/IXVKKz5Z4pF3PlxH3c2XWwUGpNohHPjLsG/1WN3nOMo3ljQFtqmLgmH9Pg/z/1MLMuhs4zx+fZabpQO9B1qAxgPHuowPTZPM914iDvku8ncfVuW2Ww8uH8jz/wIDAQABo4IBHTCCARkwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDBABgNVHSAEOTA3MDUGCSqGSIb2fQdLAjAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAfBgNVHSMEGDAWgBQe8auJBvhJDwEzd+4Ueu4ZfJMoTTAdBgNVHQ4EFgQUNc2mj8QIq+JJ5tR1h9PdyoPdWmowCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEATp2vdECO6vslLbz/cKkHtSqJOym9/5t4PU68TbbBQDJwac4GRAA5NAjZ8NGaNgO7VYZAAWpd9MPcNcDo4+4kaX0UJXx6BQhfCRQLfUV2HuqNkK76DSuGsi8Q/jHb+hR/lJ0kfjopuTlU7SKT7bRmlqF01bSa09Ifds1ujgiWCBSiKDTvj5SgUW/m/TNHtKUs/KppPsIkFRJFNBiKdL6KJR2Kt6VoxfzYmAKr9WDVVj9gSM4mUpRKF1X3C7ZiHAUgNM3xSCfETK774+1g0zEjQjL04bJXPt8m8MQMmRuhm05Nsl7VumBGcwoosKPthYTrBwawen6aZhqrWstwVWs7Dw==</ds:X509Certificate>
  </
ds:X509Data>
  </
KeyInfo>
  </
ds:Signature>
  <
Subject>
  <
NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">SWESTKIR</NameID>
  <
SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
  <
SubjectConfirmationData NotOnOrAfter="2011-06-28T15:50:13.424Z" Recipient="https://testRecipient.test.com/abc/" />
  </
SubjectConfirmation>
  </
Subject>
  <
Conditions NotBefore="2011-06-28T15:45:13.416Z" NotOnOrAfter="2011-06-28T16:45:13.416Z">
  <
AudienceRestriction>
  <
Audience>https://Audience.test.com/abc/</Audience>
  </
AudienceRestriction>
  </
Conditions>
  <
AttributeStatement>
  <
Attribute Name="http://schemas.xmlsoap.org/claims/CommonName" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
  <
AttributeValue>efs</AttributeValue>
  </
Attribute>
  <
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
  <
AttributeValue>apple</AttributeValue>
  </
Attribute>
  <
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
  <
AttributeValue>cap</AttributeValue>
  </
Attribute>
  <
Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
  <
AttributeValue> </AttributeValue>
  </
Attribute>
  <
Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" a:OriginalIssuer="http://test.App.com/" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
  <
AttributeValue>test@testApp.com</AttributeValue>
  </
Attribute>
  </
AttributeStatement>
  <
AuthnStatement AuthnInstant="2011-06-28T15:45:09.805Z" SessionIndex="_5a4fd-4aba-4660-a136-80rr1b4c378">
  <
AuthnContext>
  <
AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
  </
AuthnContext>
  </
AuthnStatement>
  </
Assertion>
</
samlp:Response>

Here is my code:
------------------------------------
Code to sign a XML:
------------------------------------
  // Sign an XML file and save the signature in a new file.
  public static void SignXmlFile(string FilePath, string SignedFileNamePath, string SubjectName)
  {
  // Load the certificate from the certificate store.
  X509Certificate2 cert = GetCertificateBySubject(SubjectName);
  // Create a new XML document.
  XmlDocument doc = new XmlDocument();

  // Format the document to ignore white spaces.
  doc.PreserveWhitespace = false;

  // Load the passed XML file using it's name.
  doc.Load(FilePath);
  // Create a SignedXml object.
   SignedXml signedXml = new SignedXml(doc);
  // Add the key to the SignedXml document.
  signedXml.SigningKey = cert.PrivateKey;
  // Create a reference to be signed.
  Reference reference = new Reference();
  reference.Uri = "";
  // Add an enveloped transformation to the reference.
  XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
  reference.AddTransform(env);
 // Add the reference to the SignedXml object.
  signedXml.AddReference(reference);
  // Create a new KeyInfo object.
  KeyInfo keyInfo = new KeyInfo();
  // Load the certificate into a KeyInfoX509Data object
   // and add it to the KeyInfo object.
  keyInfo.AddClause(new KeyInfoX509Data(cert));
  // Add the KeyInfo object to the SignedXml object.
  signedXml.KeyInfo = keyInfo;
  // Compute the signature.
   signedXml.ComputeSignature();
  // Get the XML representation of the signature and save
  // it to an XmlElement object.
  XmlElement xmlDigitalSignature = signedXml.GetXml();
  // Append the element to the XML document.
  doc.DocumentElement.AppendChild(doc.ImportNode(xmlDigitalSignature, true));
  if (doc.FirstChild is XmlDeclaration)
  {
  doc.RemoveChild(doc.FirstChild);
  }
  // Save the signed XML document to a file specified
  // using the passed string.
  using (XmlTextWriter xmltw = new XmlTextWriter(SignedFileNamePath, new UTF8Encoding(false)))
  {
  doc.WriteTo(xmltw);
   xmltw.Close();
  }
  }
------------------------------------
Code to verify signed XML:
------------------------------------
  public static bool isValidSignature(String xmlFilePath, String CertificatePath)
  {
   // Load the certificate from the store.
  X509Certificate2 cert = GetCertificateByFile(CertificatePath);
  // Create a new XML document.
  XmlDocument xmlDocument = new XmlDocument();
  // Load the passed XML file into the document.
  xmlDocument.Load(xmlFilePath);
  // Create a new SignedXml object and pass it
  // the XML document class.
  SignedXml signedXml = new SignedXml(xmlDocument);
  // Find the "Signature" node and create a new
  // XmlNodeList object.
  XmlNodeList nodeList = xmlDocument.GetElementsByTagName("Signature");
  // Handling Signature and ds:Signature temporarily
  if (nodeList.Count == 0)
 {
  nodeList = xmlDocument.GetElementsByTagName("ds:Signature");
  }
  // Load the signature node.
  signedXml.LoadXml((XmlElement)nodeList[0]);
  // Check the signature and return the result.
  return signedXml.CheckSignature(cert, true);
  }
  This signedXml.CheckSignature(cert, true); gives the exception: "System.Security.Cryptography.CrytographicException"
  with message: "SignatureDescription could not be created for the signature algorithm supplied"
  when using the client XML  with ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"

 ------------------------------------
  public static X509Certificate2 GetCertificateByFile(string certificatePath)
  {
    X509Certificate2 x509 = new X509Certificate2();
  //Create X509Certificate2 object from .cer file.
  byte[] rawData = ReadFile(certificatePath);
  x509.Import(rawData);
  return x509;
  }
------------------------------------
  //Reads a file.
  internal static byte[] ReadFile(string fileName)
  {
  FileStream f = new FileStream(fileName, FileMode.Open, FileAccess.Read);
  int size = (int)f.Length;
  byte[] data = new byte[size];
  size = f.Read(data, 0, size);
  f.Close();
  return data;
  }
 ------------------------------------
Thanks in advance

SPONSORED BY

Custom Software Development
MCN is your source for developing solutions involving websites, mobile apps, cloud-computing, databases, BI, back-end services and processes and client-server applications.