ComponentSpace

Forums



SAML assertion error when we upgraded to .NET 4.7.1


SAML assertion error when we upgraded to .NET 4.7.1

Author
Message
ramanik
ramanik
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 14
We have the following code working in .NET 4.6.2. 
      SAMLAssertionSignature.Generate(samlAssertionElement, <<x509Certificate PrivateKey>>, x509Certificate);

On upgrade to .NET 4.7.1 we get     

Exception: System.Security.Cryptography.CryptographicException
Message: Invalid algorithm specified.

Source: mscorlib
   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash, Int32 cbHash, ObjectHandleOnStack retSignature)
   at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash)
  at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, Int32 calgHash)
   at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
   at ComponentSpace.SAML2.XmlSignature.Generate(XmlElement xmlElement, String elementId, AsymmetricAlgorithm signingKey, KeyInfo keyInfo, SignedXml signedXml, String inclusiveNamespacesPrefixList, String digestMethod, String signatureMethod)

We have added in App_Start the following lines. 
  protected void Application_Start(object sender, EventArgs e)
{
   ...
   AppContext.SetSwitch("Switch.System.Security.Cryptography.Xml.UseInsecureHashAlgorithms", true);
   AppContext.SetSwitch("Switch.System.Security.Cryptography.Pkcs.UseInsecureHashAlgorithms", true);
}
But no effect
The signature algortihm of cert is SHA256

Any guidance?
Ramani


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Ramani,

It might be an issue with the cryptographic service provider (CSP) associated with your private key.

As an experiment, can you try with the idp.pfx that we ship?

If this works the issue is specific to your private key file. Please refer to the following forum post for information on specifying the correct CSP for your private key.

https://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type 

Regards
ComponentSpace Development
ramanik
ramanik
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 14
ComponentSpace - 2/17/2020
Hi Ramani,

It might be an issue with the cryptographic service provider (CSP) associated with your private key.

As an experiment, can you try with the idp.pfx that we ship?

If this works the issue is specific to your private key file. Please refer to the following forum post for information on specifying the correct CSP for your private key.

https://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type 

Thanks for input, the same cert works in .net 4.6 and not in 4.7.  I am not familiar with CSP. My cert is saying CSP is a pfxprovider and  I am getting encryption failed in certutil dump. Does it mean anything?
c:\Temp>certutil -dump dev01.aps.com.pfx
Certificates: Not Encrypted
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 53d0
Issuer: C=US, CN=ApsOpowerSso
NotBefore: 1/8/2020 10:49 AM
NotAfter: 1/7/2021 10:49 AM
Subject: C=US, CN=ApsOpowerSso
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): e82d59a0f7cb713fa8b0950ed12d93af98cb5490
---------------- End Nesting Level 1 ----------------
Key Container = PfxContainer
Provider = PfxProvider
Encryption test FAILED
CertUtil: -dump command completed successfully.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I'm not sure why this worked in .NET 4.6 and not 4.7. The recommended cryptographic service provider is "Microsoft Enhanced RSA and AES Cryptographic Provider".

You can update your PFX to specify this CSP using openssl as described in the following post.

https://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type 


Regards
ComponentSpace Development
ramanik
ramanik
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 14
ComponentSpace - 2/18/2020
I'm not sure why this worked in .NET 4.6 and not 4.7. The recommended cryptographic service provider is "Microsoft Enhanced RSA and AES Cryptographic Provider".

You can update your PFX to specify this CSP using openssl as described in the following post.

https://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type 

Thanks, but unfortunately this pfx  is given by third party and is used for SAML handshake. Is there anything we can go without going back to vendor and asking vendor to generate a new cert?

Ramani 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
There's no requirement to generate a new certificate. The private key and certificate don't change. All that has to change is a property stored in the PFX that specifies which CSP to use.

Normally the PFX is owned by you rather than a 3rd party unless perhaps you're hosting the SAML site on behalf of the 3rd party.

As long as you have the PFX file and the password, which presumably you must have if you're using it, you can update the PFX file. This won't change the private key or the certificate.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search