ComponentSpace

Forums



Reject SHA-1 signature at SAMLMessageSignature.Verify


Reject SHA-1 signature at SAMLMessageSignature.Verify

Author
Message
hiroshi
hiroshi
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 7
Is it possible to reject SHA-1 signature at SAMLMessageSignature.Verify.
I am using public static bool Verify(XmlElement xmlElement, X509Certificate2 x509Certificate); in SAMLMessageSignature class.
It looks like this method succeeds regardless of the signature algorithm as far as any algorithm is declared in the response.

I would like to reject SHA-1 signature (weak), but I do not find such override method or configuration method.
Is it possible?


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
It's possible to reject SHA-1 signatures if you're using the high-level API. This is done through the SAML configuration.
For example:
<PartnerIdentityProvider
    WantSignatureMethod="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"

If you're using the low-level API, I'm afraid there isn't a method exposed that performs this check. Instead, you should access the signature method through the XML and check it directly.

Regards
ComponentSpace Development
hiroshi
hiroshi
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 7
ComponentSpace - 11/24/2019
It's possible to reject SHA-1 signatures if you're using the high-level API. This is done through the SAML configuration.
For example:
<PartnerIdentityProvider
    WantSignatureMethod="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"

If you're using the low-level API, I'm afraid there isn't a method exposed that performs this check. Instead, you should access the signature method through the XML and check it directly.

Thank you for the response.  Can you clarify what "access the signature method through the XML" means? Do you mean parse XML by some XML parser (not ComponentSpace's functionality), find "SignatureMethod" element, and examine Algorithm attribute? Or, something else?

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
That's correct. Parse the XML using the .NET framework classes.
For example:


XmlElement signatureMethodElement = samlResponseElement.SelectSingleNode(".//*[local-name(.) = 'SignatureMethod' and namespace-uri(.) = 'http://www.w3.org/2000/09/xmldsig#']");
string algorithm = signatureMethodElement.GetAttribute("Algorithm");




Regards
ComponentSpace Development
hiroshi
hiroshi
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 7
Thanks! It's very helpful.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
You're welcome.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search