SSOSAMLSignatureXMLSignatureValidation(usingsha256)在Windows2003Server上使用VS2008和.NetFramework3.5。为了安全起见,我们使用SAML实施了SSO。我们在服务提供商端工作,我们验证从客户端系统生成的签名XMLSAMLAssertuib令牌。截至目前,我们遇到的任何签名文件都使用签名算法“rsa-sha1”,但现在我们有新客户端使用签名算法“rsa-sha256”发送文件,这就是问题开始的地方。publicstaticstringVerifySignature(){if(m_xmlDoc==null)返回“无法加载XMLDocument”;尝试{XmlNamespaceManagernsm=newXmlNamespaceManager(newNameTable());nsm.AddNamespace("dsig",SignedXml.XmlDsigNamespaceUrl);XmlElementsigElt=(XmlElement)m_xmlDoc.SelectSingleNode("//dsig:Signature",nsm);//加载签名验证SignedXmlsig=newSignedXml(m_xmlDoc);sig.LoadXml(sigElt);if(!sig.CheckSignature())返回“无效签名”;}catch(Exceptionex){returnex.Message;}返回字符串。空;现在,当我为这个新客户端尝试相同的代码(使用签名算法rsa-sha256h)时-这不起作用,我收到错误“无法为提供的签名算法创建SignatureDescription。”过去2-3天浏览了很多博客和文章,我发现SignedXml不支持sha256。很好。但是接下来呢。某处提到使用WIF,我也检查并尝试了这个。我也在尝试使用RSAPKCS1SignatureDeformatter的VerifySignature方法。但不确定要传递的两个参数是什么。Dotnet4.6.2+内置了较新的sha哈希值。对于dotnet4+,要访问rsa-sha512、rsa-sha384和rsa-sha256,您应该包括这个代码在某处。///声明rsa-sha512的签名类型DigestAlgorithm=typeof(SHA512CryptoServiceProvider).FullName;FormatterAlgorithm=typeof(RSAPKCS1SignatureFormatter).FullName;DeformatterAlgorithm=typeof(RSAPKCS1SignatureDeformatter).FullName;}publicoverrideAsymmetricSignatureDeformatterCreateDeformatter(AsymmetricAlgorithmkey){varsigProcessor=(AsymmetricSignatureDeformatter)CryptoConfig.CreateFromName(DeformatterAlgorithm);sigProcessor.SetKey(键);sigProcessor.SetHashAlgorithm("SHA512");返回信号处理器;}publicoverrideAsymmetricSignatureFormatterCreateFormatter(AsymmetricAlgorithmkey){varsigProcessor=(AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);sigProcessor.SetKey(键);sigProcessor.SetHashAlgorithm("SHA512");returnsigProcessor;}}///声明rsa-sha384的签名类型类型(RSAPKCS1SignatureFormatter)。全名;DeformatterAlgorithm=typeof(RSAPKCS1SignatureDeformatter)。全名;"SHA384");returnsigProcessor;}publicoverrideAsymmetricSignatureFormatterCreateFormatter(AsymmetricAlgorithmkey){varsigProcessor=(AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);sigProcessor.SetKey(key);sigProcessor.SetHashAlgorithm("SHA384");返回信号处理器;}}///声明rsa-sha256的签名类型DigestAlgorithm=typeof(SHA256CryptoServiceProvider).FullName;FormatterAlgorithm=typeof(RSAPKCS1SignatureFormatter).FullName;DeformatterAlgorithm=typeof(RSAPKCS1SignatureDeformatter).FullName;}publicoverrideAsymmetricSignatureDeformatterCreateDeformatter(AsymmetricAlgorithmkey){varsigProcessor=(AsymmetricSignatureDeformatter)CryptoConfig.CreateFromName(DeformatterAlgorithm);sigProcessor.SetKey(键);sigProcessor.SetHashAlgorithm("SHA256");返回信号处理器;}publicoverrideAsymmetricSignatureFormatterCreateFormatter(AsymmetricAlgorithmkey){varsigProcessor=(AsymmetricSignatureFormatter)CryptoConfig.CreateFromName(FormatterAlgorithm);信号处理essor.SetKey(键);sigProcessor.SetHashAlgorithm("SHA256");返回信号处理器;然后你应该通过调用这样的代码来激活这些信号描述你只需要调用一次,所以如果你想在函数中调用它,你可以从静态构造。CryptoConfig.AddAlgorithm(typeof(RsaPkCs1Sha512SignatureDescription),"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");CryptoConfig.AddAlgorithm(typeof(RsaPkCs1Sha384SignatureDescription),"http://www.w3.org/2001/04/xmldsig-more#rsa-sha384");CryptoConfig.AddAlgorithm(typeof(RsaPkCs1Sha256SignatureDescription),"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");提示Microsoft的CarlosLopez和BitSchupster以及Andrew的SO。对于.net4及更早版本,我发现在从http://clrsecurity.codeplex.com/添加Security.Cryptography后,以下工作正常。(注意X509CertificateFinder是我自己的,通过指纹在证书库中找到签名证书)//////ValidateanXmlDocumentssignature//////Thesamlresponsewiththesignatureelemenettovalidate///True如果可以使用证书验证签名publicboolValidateX509CertificateSignature(XmlDocumentxnlDoc){XmlNodeListXMLSignatures=xnlDoc.GetElementsByTagName("Signature","http://www.w3.org/2000/09/xmldsig#");//检查响应或断言是否已被签名一次且仅一次。如果(XMLSignatures.Count!=1)返回false;varsignedXmlDoc=newSignedXml(xnlDoc);signedXmlDoc.LoadXml((XmlElement)XMLSignatures[0]);varcertFinder=newX509CertificateFinder();varfoundCert=certFinder.GetSignatureCertificate();CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription),"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");返回signedXmlDoc.CheckSignature(foundCert,false);这可以说是“简单”但可能不是“解决方案”:)对于我们遇到的少数客户,我们已经要求他们更改其IdP以使用SHA-1进行签名。当他们这样做时,他们能够改变它。不是技术解决方案,但它在“现场”工作,所以我想我会提到它。只需将其更新到.NETFramework4.6.01590或更高版本,它将支持SHA-512,无需任何代码更改。以上就是C#学习教程:SSOSAML签名XML签名验证(使用sha256)分享的全部内容。如涉及侵权,请点击右侧联系管理员删除。如需转载请注明出处:
