Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DigestAlgorithm cannot be determined for SigningAlgorithm PS256 #1367

Open
ritocesura opened this issue Sep 20, 2022 · 3 comments
Open

DigestAlgorithm cannot be determined for SigningAlgorithm PS256 #1367

ritocesura opened this issue Sep 20, 2022 · 3 comments
Labels
enhancement

Comments

@ritocesura
Copy link

ritocesura commented Sep 20, 2022
edited

Sustainsys.Saml2.AspNetCore2
Version 2.9.0

The SAML configuration of the service provider looks as follows:

services.AddAuthentication()
    .AddSaml2("...", options =>
    {
        options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
        options.SignOutScheme = IdentityServerConstants.DefaultCookieAuthenticationScheme;
        options.SPOptions.EntityId = new EntityId("...");
        options.SPOptions.PublicOrigin = new Uri("...");
        options.SPOptions.OutboundSigningAlgorithm = "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1";
        options.SPOptions.ServiceCertificates.Add(new X509Certificate2("...", "..."));

        options.IdentityProviders.Add(
            new IdentityProvider(
                new EntityId("..."), options.SPOptions)
            {
                MetadataLocation = "...",
                LoadMetadata = true
            });
    });

I need the AuthnRequest to be signed with PS256 (sha256-rsa-MGF1). But when the application tries to sign, the following exception is thrown:
System.InvalidOperationException: Unable to find a digest algorithm for the signing algorithm http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1

Can you kindly guide me on what else I need to configure to have my AuthnRequest signed with PS256 algorithm?
@ritocesura
Copy link
Author

After investigating a little further, it seems that the error message is a good indicator of what is going wrong.
SigningAlgorithm http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 is used to get the corresponding DigestAlgorithm, which should be http://www.w3.org/2001/04/xmlenc#sha256.

The GetCorrespondingDigestAlgorithm method tries to get a DigestAlgorithm ending with "MGF1" which fails:

Saml2/legacy/Sustainsys.Saml2.Metadata/Helpers/XmlHelpers.cs

Lines 586 to 598 in 3bedefb

internal static string GetCorrespondingDigestAlgorithm(string signingAlgorithm)
{
var matchPattern = signingAlgorithm.Substring(signingAlgorithm.LastIndexOf('-') + 1);
string match = DigestAlgorithms.FirstOrDefault(a => a.EndsWith(
matchPattern,
StringComparison.Ordinal));
if (match == null)
{
throw new InvalidOperationException(
$"Unable to find a digest algorithm for the signing algorithm {signingAlgorithm}");
}
return match;
}

Is there a possibility to either (1) set the DigestAlgorithm in the config or (2) change the way the Digest-Algorithm is determined?

The external Idp does not allow for any other Signing- or DigestAlgorithms.

@ritocesura ritocesura changed the title Unable to sign AuthnRequest with PS256 algorithm DigestAlgorithm cannot be determined for SigningAlgorithm PS256 Sep 21, 2022
@AndersAbel
Copy link
Member

This is a scenario that is new to me. There is no way to handle this in the 1.x or 2.x versions. However, I would be happy to include it in 3.x. The code for XML signature handling is available in the develop branch so it's possible to have look at how to improve it.

@LeThai96
Copy link

Hello @ritocesura, I have the same problem. Do you have any solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AndersAbel @ritocesura @LeThai96