Well, by the subject it is a very broad question but I can further narrow down the details.
One of our client sends us Saml (either response signed or assertion signed), but the signature validation failed in both cases. The client claimed to use the same certificate to work with hundreds of clients successfully, now we begin to suspect the certificate failed to pass chain validation (the intermediate one).
However I used following code to test certificate, it passed the validation
Snippet
static void Main(string[] args){ var cert = new X509Certificate2(@“c:\temp\my.cer”); VerifyCertificate(cert);}static void VerifyCertificate(X509Certificate2 primaryCertificate){ var chain = new X509Chain(); chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain; chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline; chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag; chain.Build(primaryCertificate); if (chain.ChainStatus.Length != 0) { foreach (X509ChainStatus objChainStatus in chain.ChainStatus) { Console.WriteLine(objChainStatus.Status.ToString() + " - " + objChainStatus.StatusInformation); } } var bVerif = primaryCertificate.Verify();}
I turned on the verbose tracing of ComponentSpace.Saml2 but there is not too much info I can get
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:21 PM: The X.509 certificate with subject name ************** and serial number +++++ is being used to verify the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:22 PM: Verifying the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:22 PM: Failed to verify the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:22 PM: XML signature method: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:22 PM: The X.509 certificate with subject name ************** and serial number +++++ is embedded in the XML signature.
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:22 PM: The asymmetric key type is RSACryptoServiceProvider.
ComponentSpace.SAML2 Verbose: 0 : 20120/6: 9/21/2016 1:53:22 PM: The asymmetric key’s associated cryptographic service provider supports SHA-256 signatures.
Is there a way I get get further info about the failure reason?