SAMLSignatureException: Failed to generate XML signature. Invalid algorithm specified

I had partner IdP configured with:

“DigestMethod”: "<a href=“http://www.w3.org/2001/04/xmlenc#sha256",">http://www.w3.org/2001/04/xmlenc#sha256",</a><br/>"SignatureMethod”: "<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”,

and got this error:


ComponentSpace.SAML2.Exceptions.SAMLSignatureException: Failed to generate XML signature. —> System.Security.Cryptography.CryptographicException: Invalid algorithm specified.

at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash, Int32 cbHash, ObjectHandleOnStack retSignature)
at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash)
at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, Int32 calgHash)
at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 245
— End of inner exception stack trace —
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 255
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2Collection x509Certificates, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 356
at ComponentSpace.SAML2.Utility.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Utility\XmlSignature.cs:line 404
at ComponentSpace.SAML2.Protocols.SAMLMessageSignature.Generate(XmlElement xmlElement, AsymmetricAlgorithm signingKey, X509Certificate2 x509Certificate, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Protocols\SAMLMessageSignature.cs:line 326
at ComponentSpace.SAML2.InternalSAMLServiceProvider.CreateAuthnRequest(SSOOptions ssoOptions, String assertionConsumerServiceUrl, String singleSignOnServiceUrl) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 140
at ComponentSpace.SAML2.InternalSAMLServiceProvider.InitiateSSO(HttpResponseBase httpResponse, String relayState, String partnerIdP, SSOOptions ssoOptions, String assertionConsumerServiceUrl, String singleSignOnServiceUrl) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 529
at ComponentSpace.SAML2.SAMLServiceProvider.InitiateSSO(HttpResponseBase httpResponse, String relayState, String partnerIdP, SSOOptions ssoOptions, String assertionConsumerServiceUrl, String singleSignOnServiceUrl) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLServiceProvider.cs:line 201



I then changed it to this:
“DigestMethod”: "<a href=“http://www.w3.org/2000/09/xmldsig#sha1",">http://www.w3.org/2000/09/xmldsig#sha1",</a><br/>"SignatureMethod”: "<a href=“http://www.w3.org/2000/09/xmldsig#rsa-sha1",">http://www.w3.org/2000/09/xmldsig#rsa-sha1”,

and it then worked fine. Am I incorrect in trying to use SHA-256?

Thanks!

You need to enable SHA-256 XML signature support on your system. Once this is done you should no longer get the “Invalid algorithm” error.
Please refer to the following topic which describes how to enable this support.
http://www.componentspace.com/Forums/30/SHA256-XML-Signature-Support

I do have it enabled. I have several IdPs configured with SHA256. In my app, I did as the doc recommended and have this:

Snippet

// Enable SHA-256 XML signature support.            CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription),                 “<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"”>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”);

Only seems to be a problem with a custom local SP certificate for a given IdP. Certificate looks file, can import/export OK. Can read fine via X509Certificate2 class. The certificate I’m using has sha256RSA as the signature algorithm.

If it’s specific to a particular certificate/private key then there must be an issue with that certificate/private key.
The most likely cause is that the wrong cryptographic provider is associated with the private key.
The following topic describes how to confirm this.
http://www.componentspace.com/Forums/1565/SHA256-and-Cryptographic-Provider-Types
If the wrong cryptographic provider is specified for the private key then you can convert this as described in the following article.
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type

You are amazing. Thank you!

You’re welcome.

I am able to generate a meta data file by calling

SAMLMetadataSignature.Generate(xmlElement, x509Certificate.PrivateKey, x509Certificate, null, "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2000/09/xmldsig#rsa-sha1");

but not

SAMLMetadataSignature.Generate(xmlElement, x509Certificate.PrivateKey, x509Certificate );

using the default sha256 encryption

I saw a post regarding this at: http://www.componentspace.com/Forums/1623/SAMLSignatureException-Failed-to-generate-XML-signature-Invalid-algorithm-specified?Keywords=Working%20with%20Federation%20Metadata

And followed the instructions on:

http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type

to attempt to change the cryptographic provider to: Microsoft Enhanced RSA and AES Cryptographic Provider

This however did not work: and I am still unable to use the sha256 encryption

Is there any further guidance you can provide to get the default sha256 encryption working

Also if I could make a suggestion: documenting this in your documentation would be a big help for future prospective clients.

Thank you for your assistance.

Were you not able to perform the conversion using openssl?
If so, what error are you getting?
Thanks for the suggestion about the documentation. I’ll see this is incorporated into the next documentation update.

I have no errors

Before the conversion the pfx was like this

C:\Program Files (x86)\GnuWin32\bin>openssl pkcs12 -info -ind:\saml\RapidSSLWildCard.pfx

Enter Import Password:

MAC Iteration 1

MAC verified OK

PKCS7 Data

Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration2000

Bag Attributes

1.3.6.1.4.1.311.17.2:

localKeyID: 01 00 00 00

friendlyName:le-e48c316d-0efe-4765-b4d2-9fd8ffd15ba8

Microsoft CSP Name: Microsoft RSA SChannelCryptographic Provider

Key Attributes

X509v3 Key Usage: 10

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,2E4B86103C8222BA

After the conversion it was like this

C:\Program Files (x86)\GnuWin32\bin>openssl pkcs12 -ind:\saml\idp.pfx

Enter Import Password:

MAC verified OK

Bag Attributes

localKeyID: 6C 7B 88 26 B7 8C 3F ED 2B 53 D3C4 33 A9 EE 2B 1A A4 FA F3

subject=/CN=*.comviewcorp.com

issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3

The attribute bag for the CSP seems to be missing

After the conversion only SHA1 works

Thanks Matthew.
Our recommendation is to use whatever the latest version of openssl is at the time.

Thanks Matthew.