SAMLSignatureException: Failed to generate XML signature. Invalid algorithm specified

ondrod · July 20, 2017, 6:48am

Hello,

We have upated to ComponentSpace.SAML2.dll version 2.8.2.0 from older verion of 2.5.0.20.

This upgrade broke our existing integration, because of :
“SAMLSignatureException: Failed to generate XML signature. Invalid algorithm specified”.

I seen you have covered the topic in forum posts:
• http://www.componentspace.com/Forums/1623/SAMLSignatureException-Failed-to-generate-XML-signature-Invalid-algorithm-specified
• http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type?PageIndex=1
• http://www.componentspace.com/Forums/1565/SHA256-and-Cryptographic-Provider-Types

We were generating self signed certificates for our integrations by code (not using openssl nor makecert), with Cryptographic Service Provider (CSP) set to “Microsoft Base Cryptographic Provider v1.0”, instead of “Microsoft Enhanced RSA and AES Cryptographic Provider”. We are using one of SHA256, SHA384 and SHA512 signature algorithms.

I have two questions:
• Why this was not an issue in version “2.5.0.20”?
• Is there any way we can upgrade our already generated certificates to use correct CSP, and do not break existing integrations?

Thank you for the answers.

Best Regards

ComponentSpace · July 20, 2017, 4:11pm

Prior to v2.6.0.13 we defaulted to SHA-1 signatures.
Later versions default to SHA-256 signatures although SHA-1 is still supported.
http://www.componentspace.com/Forums/5316/SHA1-vs-SHA256-XML-signatures

Upgrading your PFX file to the correct CSP should not affect other integrations.
The only change made to the PFX is a property that specifies which CSP to use.
The rest of the PFX, including the private key, remain unchanged.
You can still use the PFX to generate SHA-1 signatures if required.
Also, partner sites with your CER file can continue to use the same CER file.

ondrod · July 20, 2017, 11:07pm

Can you provide an C# example of how to set the CSP for existing X509Certificate2 ?

Thanks

ComponentSpace · July 21, 2017, 12:38am

I don’t believe there’s a .NET framework API that supports updating the CSP.
You would have to call into the Windows API through PInvoke.
We don’t have any examples of this.

ondrod · July 21, 2017, 1:19am

Do you have example with makecert or some other console application?

ComponentSpace · July 21, 2017, 3:08am

I suggest taking a look at our Certificate Guide.
http://www.componentspace.com/Forums/7813/Certificate-Guide
The “Generating Self-Signed Certificates” section describes using PowerShell’s New-SelfSignedCertificate cmdlet to generate a self-signed certificate with the correct CSP for SHA-256 signature generation.

ComponentSpace · July 22, 2017, 12:37am

I found the following SO article which describes updating the CSP type in C#.
https://stackoverflow.com/questions/29005876/signedxml-compute-signature-with-sha256

ComponentSpace · December 8, 2022, 1:40pm

The EncryptedAssertion constructor defaults the symmetric key encryption method to “<a href=“http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p””>http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" and the data encryption method to "<a href=“http://www.w3.org/2001/04/xmlenc#aes256-cbc".">http://www.w3.org/2001/04/xmlenc#aes256-cbc”.

What version of the SAML library are you using?

What version of the .NET framework are you using?

Have you tried the same code but specifying the “sp.cer” certificate that we include with the example projects? This will help identify whether the issue is related to your certificate.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace