Crypto issue

[ska-ia]

Hello,

i am using the latest version (2.9.0) on .Net6.0, i get this error when the feature WantAuthnRequestsSigned is enabling.

the certificate used has SHA256 as algorithm for signature.

Also i notice this warning SHA256Managed is obsolete

the code : spOptions.ModulePath = Configuration.ModulePath; spOptions.EntityId = new EntityId(uasUrl); spOptions.AuthenticateRequestSigningBehavior = ParseAuthenticateRequestSigningBehavior(Configuration.AuthenticateRequestSigningBehavior); spOptions.ReturnUrl = new Uri(publicOrigin); spOptions.WantAssertionsSigned = Configuration.WantAssertionSigned; //spOptions.MinIncomingSigningAlgorithm =Configuration.MinIncomingSigningAlgorithm; //spOptions.OutboundSigningAlgorithm = Configuration.OutboundSigningAlgorithm; spOptions.Logger = new AspNetCoreLoggerAdapter(_loggerFactory.CreateLogger()); spOptions.PublicOrigin = new Uri(uasUrl);

        IdentityProvider identityProvider = new IdentityProvider(new EntityId(Configuration.EntityId), spOptions)
        {
            LoadMetadata = !string.IsNullOrEmpty(Configuration.MetadataLocation),
            MetadataLocation = Configuration.MetadataLocation,
            AllowUnsolicitedAuthnResponse = Configuration.AllowUnsolicitedAuthnResponse,
            Binding = ParsingBindingType(Configuration.BindingType),
            OutboundSigningAlgorithm = Configuration.OutboundSigningAlgorithm,
            WantAuthnRequestsSigned = Configuration.WantAuthnRequestsSigned
        };

        if(!string.IsNullOrEmpty(Configuration.CertificateName))
        {
            //spOptions.ValidateCertificates = Configuration.ValidateCertificates;
            spOptions.ValidateCertificates = false;
            var certificate = CertificateManager.FindCertificateByFriendlyNamePassword(Configuration.CertificateName);
            if(certificate == null)
            {
                _logger?.LogInformation($"Certificate with name {Configuration.CertificateName} is not recognized or installed.");
            }
            else
            {
                _logger?.LogInformation($"Certificate with name {certificate.FriendlyName} is recognized ");
                spOptions.ServiceCertificates.Add(new ServiceCertificate
                {
                    Certificate = certificate,
                    Use = ParseCertificateUse(Configuration.CertificateUse),
                    Status = CertificateStatus.Current
                });
                identityProvider.SigningKeys.AddConfiguredKey(new X509RawDataKeyIdentifierClause(certificate));
            }
        }

the trace as following :

System.InvalidCastException: Unable to cast object of type 'System.Security.Cryptography.SHA256Managed' to type 'System.Security.Cryptography.SignatureDescription'. at string Sustainsys.Saml2.WebSso.Saml2RedirectBinding.AddSignature(string queryString, ISaml2Message message) in V:/wa_git/HAS/Modules/UAS/src/Saml2-2.8.0/Sustainsys.Saml2/WebSSO/Saml2RedirectBinding.cs:line 65 at CommandResult Sustainsys.Saml2.WebSso.Saml2RedirectBinding.Bind(TMessage message, ILoggerAdapter logger, Action<TMessage, XDocument, Saml2BindingType> xmlCreatedNotification) in V:/wa_git/HAS/Modules/UAS/src/Saml2-2.8.0/Sustainsys.Saml2/WebSSO/Saml2RedirectBinding.cs:line 46 at CommandResult Sustainsys.Saml2.IdentityProvider.Bind(TMessage message, Action<TMessage, XDocument, Saml2BindingType> xmlCreatedNotification) in V:/wa_git/HAS/Modules/UAS/src/Saml2-2.8.0/Sustainsys.Saml2/IdentityProvider.cs:line 363 at CommandResult Sustainsys.Saml2.WebSso.SignInCommand.InitiateLoginToIdp(IOptions options, IDictionary<string, string> relayData, Saml2Urls urls, IdentityProvider idp, Uri returnUrl, HttpRequestData request) in V:/wa_git/HAS/Modules/UAS/src/Saml2-2.8.0/Sustainsys.Saml2/WebSSO/SignInCommand.cs:line 168 at CommandResult Sustainsys.Saml2.WebSso.SignInCommand.Run(EntityId idpEntityId, string returnPath, HttpRequestData request, IOptions options, IDictionary<string, string> relayData) in V:/wa_git/HAS/Modules/UAS/src/Saml2-2.8.0/Sustainsys.Saml2/WebSSO/SignInCommand.cs:line 147 at async Task Sustainsys.Saml2.AspNetCore2.Saml2Handler.ChallengeAsync(AuthenticationProperties properties)

[ska-ia]

Hello Samir,

What is the value of Configuration.OutboundSigningAlgorithm? It looks like you might have entered a hashing algorithm and not a signing algorithm in your settings.

Best Regards, Anders