Exception in SignedXML IsKeyTheCorrectAlgorithm Object Reference

[bbecker100]

Hello,

We have a .Net Core on Framework 7.0 using Sustainsys.Saml2.AspNetCore2 version 2.9.2

It is hosted in an Azure Web App and a Azure B2c Tenant is also part of the solution. We have this solution running successfully with older versions of .Net and Sustainsys and are needing to replicate it, so we are trying to match everything as much as possible and don't have a lot of SAML experience.

With V.S. Remote debugging, we can see the Debug window and the following lines are seen. (The same Stack trace appears in Application Insights)

=============================================================== Sustainsys.Saml2.AspNetCore2.Saml2Handler: Information: Created metadata Sustainsys.Saml2.AspNetCore2.Saml2Handler: Information: Created metadata Sustainsys.Saml2.AspNetCore2.Saml2Handler: Information: Created metadata 'w3wp.exe' (CoreCLR: clrhost): Loaded 'C:\Program Files (x86)\dotnet\shared\Microsoft.AspNetCore.App\7.0.13\Microsoft.AspNetCore.Diagnostics.Abstractions.dll'. 'w3wp.exe' (CoreCLR: clrhost): Loaded 'C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.13\System.Diagnostics.StackTrace.dll'. 'w3wp.exe' (CoreCLR: clrhost): Loaded 'C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.13\System.Reflection.Metadata.dll'. 'w3wp.exe' (CoreCLR: clrhost): Loaded 'C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.13\System.Collections.Immutable.dll'. Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware: Error: An unhandled exception has occurred while executing the request.

System.NullReferenceException: Object reference not set to an instance of an object.
   at System.Security.Cryptography.Xml.SignedXml.IsKeyTheCorrectAlgorithm(AsymmetricAlgorithm key, Type expectedType)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key)
   at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
   at Sustainsys.Saml2.XmlHelpers.VerifySignature(IEnumerable`1 signingKeys, SignedXml signedXml, XmlElement signatureElement, Boolean validateCertificate)
   at Sustainsys.Saml2.XmlHelpers.IsSignedByAny(XmlElement xmlElement, IEnumerable`1 signingKeys, Boolean validateCertificate, String minimumSigningAlgorithm)
   at Sustainsys.Saml2.Saml2P.Saml2Response.ValidateSignature(IOptions options, IdentityProvider idp)
   at Sustainsys.Saml2.Saml2P.Saml2Response.CreateClaims(IOptions options, IdentityProvider idp)+MoveNext()
   at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
   at Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData)
   at Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState, IdentityProvider identityProvider, String relayState)
   at Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options)
   at Sustainsys.Saml2.AspNetCore2.Saml2Handler.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|8_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)

=============================================================

We tried to enable more debugging in the SignedXml library by adding some config items, shown below, but it doesn't seem to enable any additional logging.

=============================================================

<system.diagnostics>
  <sources>
    <source name="System.Security.Cryptography.Xml.SignedXml" switchName="spSwitch">
      <listeners>
        <!--<add initializeData="C:tempsignedxml-output.txt" type="System.Diagnostics.TextWriterTraceListener"
          name="myLocalListener" />-->
        <add name="configConsoleListener" type="System.Diagnostics.ConsoleTraceListener" />
      </listeners>
    </source>
  </sources>
  <switches>
    <add name="spSwitch" value="Verbose" />
  </switches>
  <trace autoflush="true"/>
</system.diagnostics>

=============================================================

Any suggestions on how to get more debugging info or other troubleshooting techniques?

   Thanks in advance,

             Bruce

[bbecker100]

By looking at the Call Stack and further debugging, this line of code is returning a Null: (SignedXML.cs)

line 913:

Type type = Type.GetType(signatureDescription.KeyAlgorithm);

Here are the values in the signatureDescription:

signatureDescription.DeformatterAlgorithm = System.Security.Cryptography.RSAPKCS1SignatureDeformatter signatureDescription.DigestAlgorithm = System.Security.Cryptography.SHA1Managed signatureDescription.FormatterAlgorithm = System.Security.Cryptography.RSAPKCS1SignatureFormatter signatureDescription.KeyAlgorithm = System.Security.Cryptography.RSACryptoServiceProvider

Then the 'type' is sent to the IsKeyTheCorrectAlgorithm(), which causes the exception

Not sure why it can't determine the Type at runtime, that Type is referenced earlier in the project...

[bbecker100]

In the startup of the program, there were 2 Algorithms added as follows:

CryptoConfig.AddAlgorithm(typeof(Sha256SignatureDescription), SignedXml.XmlDsigRSASHA256Url); CryptoConfig.AddAlgorithm(typeof(Sha1SignatureDescription), SignedXml.XmlDsigRSASHA1Url);

We removed the RSASHA1Url (2nd item) and rebuilt and then things started working. We also moved everything to .Net 8.0 Framework along the way.