SAML2 FederationMetadata validation

I was working on a project using a SAML2 FederationMetadata document.  The Xml signature of the document had to be verified.  I had some issues out of the box so I thought I'd document them

"SignatureDescription could not be created for the signature algorithm supplied."

First issue was with the signature using the "" encryption.  For some reason it's not included in System.Security.Cryptography.Xml.SignedXml so the following class has to be added

    public class RSAPKCS1SHA256SignatureDescription : SignatureDescription
        public RSAPKCS1SHA256SignatureDescription()
            base.KeyAlgorithm = "System.Security.Cryptography.RSACryptoServiceProvider";
            base.DigestAlgorithm = "System.Security.Cryptography.SHA256Managed";
            base.FormatterAlgorithm = "System.Security.Cryptography.RSAPKCS1SignatureFormatter";
            base.DeformatterAlgorithm = "System.Security.Cryptography.RSAPKCS1SignatureDeformatter";

        public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
            AsymmetricSignatureDeformatter asymmetricSignatureDeformatter = (AsymmetricSignatureDeformatter)
            return asymmetricSignatureDeformatter;

Before you create the SignedXml object the Encrytion algorithm has to added to the config
            CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "");

            SignedXml signedXml = new SignedXml(metadataXmlDocument);

Net issue I had was the signedXml.CheckSignature(certificate, false) returning false for valid signed files.  The issue was that the certificate was not in the trusted root certificate store.  Why that matters I'm not sure but the issue went away after I added it.

Print | posted on Friday, July 12, 2013 3:56 PM