【问题标题】:How can I sign XML SAML Assertions in ASP.NET CORE如何在 ASP.NET CORE 中签署 XML SAML 断言
【发布时间】:2017-11-13 12:11:58
【问题描述】:

当我尝试签署 XML (SAML) 时,我在 Web Api ASP.NET Core (2.0.2) 中收到此错误:

System.InvalidOperationException:XML 中有错误 文档。 ---> System.InvalidOperationException:实例验证 错误:'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' 不是 SignatureMethodAlgorithm 的有效值。

目标是完整的框架 - .Net 4.7.1。

如果我重新定位到 .Net 4.6.2 和 .Net 4.7,代码可以正常工作。

更新: 结果我使用了一个第三方库,它期望 SignedXml 中的默认哈希算法是 sha1。作为 .net 4.7.1 的一部分,这已更改为 sha256。这实际上不是签名问题,而是反序列化问题。我通过根据 .net 4.7.1 文档https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/retargeting/4.7-4.7.1 设置上下文切换来解决此问题@

【问题讨论】:

  • 没有任何代码,这不是一个很好的 SO 问题。最好在 ms 支持处询问。
  • 作为一个建议,也许你现在have to add它。
  • 原来我使用了一个第三方库,它期望 SignedXml 中的默认哈希算法为 sha1。作为 .net 4.7.1 的一部分,这已更改为 sha256。这实际上不是签名问题,而是反序列化问题。我通过根据 .net 4.7.1 文档docs.microsoft.com/en-us/dotnet/framework/migration-guide/… 设置上下文切换来解决此问题

标签: c# asp.net xml


【解决方案1】:

我想我过去遇到过这个问题(只是不在核心项目中),我是这样解决的:

将以下类添加到您的项目中:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Web;

namespace xxx.Infrastructure.Crypto
{
    /// <summary>
    ///     <para>
    ///         The RSAPKCS1SHA256SignatureDescription class provides a signature description implementation
    ///         for RSA-SHA256 signatures. It allows XML digital signatures to be produced using the
    ///         http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 signature type.
    ///         RSAPKCS1SHA256SignatureDescription provides the same interface as other signature description
    ///         implementations shipped with the .NET Framework, such as
    ///         <see cref="RSAPKCS1SHA1SignatureDescription" />.
    ///     </para>
    ///     <para>
    ///         RSAPKCS1SHA256SignatureDescription is not generally intended for use on its own, instead it
    ///         should be consumed by higher level cryptography services such as the XML digital signature
    ///         stack. It can be registered in <see cref="CryptoConfig" /> so that these services can create
    ///         instances of this signature description and use RSA-SHA256 signatures.
    ///     </para>
    ///     <para>
    ///         Registration in CryptoConfig requires editing the machine.config file found in the .NET
    ///         Framework installation's configuration directory (such as
    ///         %WINDIR%\Microsoft.NET\Framework\v2.0.50727\Config or
    ///         %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\Config) to include registration information on
    ///         the type. For example:
    ///     </para>
    ///     <example>
    ///         <![CDATA[
    ///             <configuration>
    ///               <mscorlib>
    ///                 <!-- ... -->
    ///                 <cryptographySettings>
    ///                   <cryptoNameMapping>
    ///                     <cryptoClasses>
    ///                       <cryptoClass RSASHA256SignatureDescription="Security.Cryptography.RSAPKCS1SHA256SignatureDescription, Security.Cryptography, Version=1.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    ///                     </cryptoClasses>
    ///                     <nameEntry name="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" class="RSASHA256SignatureDescription" />
    ///                   </cryptoNameMapping>
    ///                 </cryptographySettings>
    ///               </mscorlib>
    ///             </configuration>
    ///         ]]>
    ///     </example>
    ///     <para>
    ///         After adding this registration entry, the assembly which contains the
    ///         RSAPKCS1SHA256SignatureDescription (in the example above Security.Cryptography.dll) needs to
    ///         be added to the GAC.
    ///    </para>
    ///    <para>
    ///         Note that on 64 bit machines, both the Framework and Framework64 machine.config files should
    ///         be updated, and if the signature description assembly is built bit-specific it needs to be
    ///         added to both the 32 and 64 bit GACs.
    ///     </para>
    ///     <para>
    ///         RSA-SHA256 signatures are first available on the .NET Framework 3.5 SP 1 and as such the
    ///         RSAPKCS1SHA256SignatureDescription requires .NET 3.5 SP 1 and Windows Server 2003 or greater
    ///         to work properly.
    ///     </para>
    ///     <para>
    ///         On Windows 2003, the default OID registrations are not setup for the SHA2 family of hash
    ///         algorithms, and this can cause the .NET Framework v3.5 SP 1 to be unable to create RSA-SHA2
    ///         signatures. To fix this problem, the <see cref="Oid2.RegisterSha2OidInformationForRsa" />
    ///         method can be called to create the necessary OID registrations.
    ///     </para>
    /// </summary>
    public class RSAPKCS1SHA256SignatureDescription : SignatureDescription
    {
        /// <summary>
        ///     Construct an RSAPKCS1SHA256SignatureDescription object. The default settings for this object
        ///     are:
        ///     <list type="bullet">
        ///         <item>Digest algorithm - <see cref="SHA256Managed" /></item>
        ///         <item>Key algorithm - <see cref="RSACryptoServiceProvider" /></item>
        ///         <item>Formatter algorithm - <see cref="RSAPKCS1SignatureFormatter" /></item>
        ///         <item>Deformatter algorithm - <see cref="RSAPKCS1SignatureDeformatter" /></item>
        ///     </list>
        /// </summary>
        public RSAPKCS1SHA256SignatureDescription()
        {
            KeyAlgorithm = typeof(RSACryptoServiceProvider).FullName;
            DigestAlgorithm = typeof(SHA256Managed).FullName;   // Note - SHA256CryptoServiceProvider is not registered with CryptoConfig
            FormatterAlgorithm = typeof(RSAPKCS1SignatureFormatter).FullName;
            DeformatterAlgorithm = typeof(RSAPKCS1SignatureDeformatter).FullName;
        }

        public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
        {
            if (key == null)
                throw new ArgumentNullException("key");

            RSAPKCS1SignatureDeformatter deformatter = new RSAPKCS1SignatureDeformatter(key);
            deformatter.SetHashAlgorithm("SHA256");
            return deformatter;
        }

        public override AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm key)
        {
            if (key == null)
                throw new ArgumentNullException("key");

            RSAPKCS1SignatureFormatter formatter = new RSAPKCS1SignatureFormatter(key);
            formatter.SetHashAlgorithm("SHA256");
            return formatter;
        }
    }
}

在您的设置区域(尽早)添加以下内容:

CryptoConfig.AddAlgorithm(typeof(xxx.Infrastructure.Crypto.RSAPKCS1SHA256SignatureDescription),
            "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
        );

【讨论】:

  • 以前不是有课System.Deployment.Internal.CodeSigning.RSAPKCS1SHA256SignatureDescription吗?它是消失了还是移到了新的命名空间/包?
  • 那个确实存在,但它似乎在 .NET Core 中不存在,而特别是在 .NET Framework (4.5+) 中。
猜你喜欢
  • 2021-10-28
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 2018-08-22
  • 2020-12-30
  • 2011-10-21
相关资源
最近更新 更多