SHA-256 XML Signature Support

By default, SHA-1 signatures are supported and are perfectly suitable for the majority of use cases. However, SHA-256, SHA-384 and SHA-512 (member of the SHA-2 family of algorithms) signatures are also supported for those use cases requiring additional security.

The SHA256Signature example project demonstrates SHA-256, SHA-384 and SHA-512 signature generation and verification. Successfully running this example project confirms that SHA-256, SHA-384 and SHA-512 support is enabled.

There are two options for supporting SHA-256, SHA-384 and SHA-512 XML signatures depending on the target .NET framework level.

.NET 4.0 Framework Support
For .NET 4.0 and above, SHA-256, SHA-384 and SHA-512 support is, for the most part, built into the .NET framework. The only requirement is to register the cryptographic algorithm which is done automatically if using the .NET 4.0 version of the ComponentSpace.SAML2 DLL.

CLR Security Update for .NET 3.5
Wherever possible, if SHA-256, SHA-384 or SHA-512 support is required, it's highly recommended to upgrade to .NET 4.0 or later.
The .NET 2.0 framework does not support SHA-256, SHA-384 or SHA-512, or the CLR security update.
For .NET 3.5, SHA-256, SHA-384 and SHA-512 support in XML signatures requires the use of the CLR security update.
Version of the CLR security update is recommended as a strong named version of the CLR security update DLL is required for installation into the GAC.
Download the CLR security update from:

Installation instructions may be found at:

Extract the Security.Cryptography DLL from the CLR security zip.

Run gacutil.exe /i Security.Cryptography.dll to add the assembly to the GAC.

View the assembly (e.g. C:\Windows\assembly) and note the version number (e.g Alternatively, the version number may be found by running:

gacutil.exe /l Security.Cryptography

Update machine.config (e.g. for .NET 3.5 in C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config and C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config) ensuring the version number of the assembly is correct. The should be inserted after the section in . See below for an example configuration.

Certificates and keys should be generated using the “Microsoft Enhanced RSA and AES Cryptographic Provider”.

The following is an example configuration for insertion into machine.config." class="RSASHA256SignatureDescription" />

To generate SHA-256 signatures, use one of the overloaded signature Generate methods that take as parameters the digest and signature methods.
The default digest method is
The default signature method is
Instead of the defaults, specify as the digest method and as the signature method.

For example:


No code changes are required to verify SHA-256 signatures.

Cryptographic Provider Types
Not all cryptographic provider types support SHA-256 XML signatures.
Refer to the following topics for more information.
SHA-256 and Cryptographic Provider Types
SHA-256 and Converting the Cryptographic Provider Type