SAML assertion error when we upgraded to .NET 4.7.1

We have the following code working in .NET 4.6.2.
SAMLAssertionSignature.Generate(samlAssertionElement, <>, x509Certificate);

On upgrade to .NET 4.7.1 we get

Exception: System.Security.Cryptography.CryptographicException
Message: Invalid algorithm specified.

Source: mscorlib
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash, Int32 cbHash, ObjectHandleOnStack retSignature)
at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash)
at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, Int32 calgHash)
at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
at ComponentSpace.SAML2.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)

We have added in App_Start the following lines.
protected void Application_Start(object sender, EventArgs e)
{
…
AppContext.SetSwitch(“Switch.System.Security.Cryptography.Xml.UseInsecureHashAlgorithms”, true);
AppContext.SetSwitch(“Switch.System.Security.Cryptography.Pkcs.UseInsecureHashAlgorithms”, true);
}
But no effect
The signature algortihm of cert is SHA256

Any guidance?
Ramani

Hi Ramani,

It might be an issue with the cryptographic service provider (CSP) associated with your private key.

As an experiment, can you try with the idp.pfx that we ship?

If this works the issue is specific to your private key file. Please refer to the following forum post for information on specifying the correct CSP for your private key.

https://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type

Thanks for input, the same cert works in .net 4.6 and not in 4.7. I am not familiar with CSP. My cert is saying CSP is a pfxprovider and I am getting encryption failed in certutil dump. Does it mean anything?
c:\Temp>certutil -dump dev01.aps.com.pfx
Certificates: Not Encrypted
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 53d0
Issuer: C=US, CN=ApsOpowerSso
NotBefore: 1/8/2020 10:49 AM
NotAfter: 1/7/2021 10:49 AM
Subject: C=US, CN=ApsOpowerSso
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): e82d59a0f7cb713fa8b0950ed12d93af98cb5490
---------------- End Nesting Level 1 ----------------
Key Container = PfxContainer
Provider = PfxProvider
Encryption test FAILED
CertUtil: -dump command completed successfully.

I’m not sure why this worked in .NET 4.6 and not 4.7. The recommended cryptographic service provider is “Microsoft Enhanced RSA and AES Cryptographic Provider”.

You can update your PFX to specify this CSP using openssl as described in the following post.

https://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type

Thanks, but unfortunately this pfx is given by third party and is used for SAML handshake. Is there anything we can go without going back to vendor and asking vendor to generate a new cert?

Ramani

There’s no requirement to generate a new certificate. The private key and certificate don’t change. All that has to change is a property stored in the PFX that specifies which CSP to use.

Normally the PFX is owned by you rather than a 3rd party unless perhaps you’re hosting the SAML site on behalf of the 3rd party.

As long as you have the PFX file and the password, which presumably you must have if you’re using it, you can update the PFX file. This won’t change the private key or the certificate.