Merge pull request #137 from SINC-GmbH/fix_for_sha256-rsa-MGF_support

Revsgaard · web-flow · commit 552b8ad17d75 · 2023-05-09T14:35:33.000+02:00
extend SignatureAlgorithms of sha256-rsa-MGF
diff --git a/src/ITfoxtec.Identity.Saml2/Cryptography/Saml2Signer.cs b/src/ITfoxtec.Identity.Saml2/Cryptography/Saml2Signer.cs
@@ -20,6 +20,7 @@ static Saml2Signer()
             CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), Saml2SecurityAlgorithms.RsaSha256Signature);
             CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA384SignatureDescription), Saml2SecurityAlgorithms.RsaSha384Signature);
             CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA512SignatureDescription), Saml2SecurityAlgorithms.RsaSha512Signature);
+            CryptoConfig.AddAlgorithm(typeof(RSAPSSSHA256SignatureDescription), Saml2SecurityAlgorithms.RsaPssSha256Signature);
         }
 #endif
 
diff --git a/src/ITfoxtec.Identity.Saml2/Cryptography/SignatureAlgorithm.cs b/src/ITfoxtec.Identity.Saml2/Cryptography/SignatureAlgorithm.cs
@@ -23,8 +23,12 @@ public static void ValidateAlgorithm(string signatureAlgorithm)
             {
                 return;
             }
+            else if (Saml2SecurityAlgorithms.RsaPssSha256Signature.Equals(signatureAlgorithm, StringComparison.InvariantCulture))
+            {
+                return;
+            }
+            throw new NotSupportedException($"Only SHA1 ({Saml2SecurityAlgorithms.RsaSha1Signature}), SHA256 ({Saml2SecurityAlgorithms.RsaSha256Signature}), SHA384 ({Saml2SecurityAlgorithms.RsaSha384Signature}), SHA512 ({Saml2SecurityAlgorithms.RsaSha512Signature}) and Sha256 Rsa MGF1 ({Saml2SecurityAlgorithms.RsaPssSha256Signature}) is supported.");
 
-            throw new NotSupportedException($"Only SHA1 ({Saml2SecurityAlgorithms.RsaSha1Signature}), SHA256 ({Saml2SecurityAlgorithms.RsaSha256Signature}), SHA384 ({Saml2SecurityAlgorithms.RsaSha384Signature}) and SHA512 ({Saml2SecurityAlgorithms.RsaSha512Signature}) is supported.");
         }
 
         public static string DigestMethod(string signatureAlgorithm)
@@ -45,11 +49,15 @@ public static string DigestMethod(string signatureAlgorithm)
             {
                 return Saml2SecurityAlgorithms.Sha512Digest;
             }
+            else if (Saml2SecurityAlgorithms.RsaPssSha256Signature.Equals(signatureAlgorithm, StringComparison.InvariantCulture))
+            {
+                return Saml2SecurityAlgorithms.Sha256Digest;
+            }
             else
             {
                 ValidateAlgorithm(signatureAlgorithm);
                 throw new InvalidOperationException();
-            }
+            }            
         }
     }
 }
diff --git a/src/ITfoxtec.Identity.Saml2/Cryptography/SignatureDescriptions/RSAPSSSHA256SignatureDescription.cs b/src/ITfoxtec.Identity.Saml2/Cryptography/SignatureDescriptions/RSAPSSSHA256SignatureDescription.cs
@@ -0,0 +1,83 @@
+﻿using System.Security.Cryptography;
+
+namespace ITfoxtec.Identity.Saml2.Cryptography
+{
+    public class RSAPSSSHA256SignatureDescription : SignatureDescription
+    {
+        public RSAPSSSHA256SignatureDescription()
+        {
+            using (var rsa = RSA.Create())
+            {
+                this.KeyAlgorithm = rsa.GetType().AssemblyQualifiedName; // Does not like a simple algorithm name, but wants a type name (AssembyQualifiedName in Core)
+            }
+           
+            this.DigestAlgorithm = "SHA256"; // Somehow wants a simple algorithm name
+            this.FormatterAlgorithm = typeof(RsaPssSignatureFormatter).FullName;
+            this.DeformatterAlgorithm = typeof(RsaPssSignatureDeformatter).FullName;
+        }
+
+        public override AsymmetricSignatureFormatter CreateFormatter(AsymmetricAlgorithm key)
+        {
+            var signatureFormatter = new RsaPssSignatureFormatter();
+            signatureFormatter.SetKey(key);
+            signatureFormatter.SetHashAlgorithm(this.DigestAlgorithm);
+            return signatureFormatter;
+        }
+
+        public override AsymmetricSignatureDeformatter CreateDeformatter(AsymmetricAlgorithm key)
+        {
+            var signatureDeformatter = new RsaPssSignatureDeformatter();
+            signatureDeformatter.SetKey(key);
+            signatureDeformatter.SetHashAlgorithm(this.DigestAlgorithm);
+            return signatureDeformatter;
+        }
+
+        public class RsaPssSignatureFormatter : AsymmetricSignatureFormatter
+        {
+            private RSA Key { get; set; }
+            private string HashAlgorithmName { get; set; }
+
+            public override void SetKey(AsymmetricAlgorithm key)
+            {
+                this.Key = (RSA)key;
+            }
+
+            public override void SetHashAlgorithm(string strName)
+            {
+                // Verify the name
+                Oid.FromFriendlyName(strName, OidGroup.HashAlgorithm);
+
+                this.HashAlgorithmName = strName;
+            }
+
+            public override byte[] CreateSignature(byte[] rgbHash)
+            {
+                return this.Key.SignHash(rgbHash, new HashAlgorithmName(this.HashAlgorithmName), RSASignaturePadding.Pss);
+            }
+        }
+
+        public class RsaPssSignatureDeformatter : AsymmetricSignatureDeformatter
+        {
+            private RSA Key { get; set; }
+            private string HashAlgorithmName { get; set; }
+
+            public override void SetKey(AsymmetricAlgorithm key)
+            {
+                this.Key = (RSA)key;
+            }
+
+            public override void SetHashAlgorithm(string strName)
+            {
+                // Verify the name
+                Oid.FromFriendlyName(strName, OidGroup.HashAlgorithm);
+
+                this.HashAlgorithmName = strName;
+            }
+            
+            public override bool VerifySignature(byte[] rgbHash, byte[] rgbSignature)
+            {
+                return this.Key.VerifyHash(rgbHash, rgbSignature, new HashAlgorithmName(this.HashAlgorithmName), RSASignaturePadding.Pss);
+            }
+        }
+    }
+}
diff --git a/src/ITfoxtec.Identity.Saml2/Schemas/Saml2SecurityAlgorithms.cs b/src/ITfoxtec.Identity.Saml2/Schemas/Saml2SecurityAlgorithms.cs
@@ -37,6 +37,9 @@ public static class Saml2SecurityAlgorithms
         /// URI for the RSA-SHA-512 signature method for signing XML.
         /// </summary>
         public const string RsaSha512Signature = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";
-
+        /// <summary>
+        /// URI for the sha256-rsa-mgf1 signature method for signing XML.
+        /// </summary>
+        public const string RsaPssSha256Signature = "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1";
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ static Saml2Signer()`
`20`	`20`	`CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), Saml2SecurityAlgorithms.RsaSha256Signature);`
`21`	`21`	`CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA384SignatureDescription), Saml2SecurityAlgorithms.RsaSha384Signature);`
`22`	`22`	`CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA512SignatureDescription), Saml2SecurityAlgorithms.RsaSha512Signature);`
	`23`	`+ CryptoConfig.AddAlgorithm(typeof(RSAPSSSHA256SignatureDescription), Saml2SecurityAlgorithms.RsaPssSha256Signature);`
`23`	`24`	`}`
`24`	`25`	`#endif`
`25`	`26`
Original file line number	Diff line number	Diff line change
`@@ -23,8 +23,12 @@ public static void ValidateAlgorithm(string signatureAlgorithm)`
`23`	`23`	`{`
`24`	`24`	`return;`
`25`	`25`	`}`
	`26`	`+ else if (Saml2SecurityAlgorithms.RsaPssSha256Signature.Equals(signatureAlgorithm, StringComparison.InvariantCulture))`
	`27`	`+ {`
	`28`	`+ return;`
	`29`	`+ }`
	`30`	`+ throw new NotSupportedException($"Only SHA1 ({Saml2SecurityAlgorithms.RsaSha1Signature}), SHA256 ({Saml2SecurityAlgorithms.RsaSha256Signature}), SHA384 ({Saml2SecurityAlgorithms.RsaSha384Signature}), SHA512 ({Saml2SecurityAlgorithms.RsaSha512Signature}) and Sha256 Rsa MGF1 ({Saml2SecurityAlgorithms.RsaPssSha256Signature}) is supported.");`
`26`	`31`
`27`		`- throw new NotSupportedException($"Only SHA1 ({Saml2SecurityAlgorithms.RsaSha1Signature}), SHA256 ({Saml2SecurityAlgorithms.RsaSha256Signature}), SHA384 ({Saml2SecurityAlgorithms.RsaSha384Signature}) and SHA512 ({Saml2SecurityAlgorithms.RsaSha512Signature}) is supported.");`
`28`	`32`	`}`
`29`	`33`
`30`	`34`	`public static string DigestMethod(string signatureAlgorithm)`
`@@ -45,11 +49,15 @@ public static string DigestMethod(string signatureAlgorithm)`
`45`	`49`	`{`
`46`	`50`	`return Saml2SecurityAlgorithms.Sha512Digest;`
`47`	`51`	`}`
	`52`	`+ else if (Saml2SecurityAlgorithms.RsaPssSha256Signature.Equals(signatureAlgorithm, StringComparison.InvariantCulture))`
	`53`	`+ {`
	`54`	`+ return Saml2SecurityAlgorithms.Sha256Digest;`
	`55`	`+ }`
`48`	`56`	`else`
`49`	`57`	`{`
`50`	`58`	`ValidateAlgorithm(signatureAlgorithm);`
`51`	`59`	`throw new InvalidOperationException();`
`52`		`- }`
	`60`	`+ }`
`53`	`61`	`}`
`54`	`62`	`}`
`55`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,9 @@ public static class Saml2SecurityAlgorithms`
`37`	`37`	`/// URI for the RSA-SHA-512 signature method for signing XML.`
`38`	`38`	`/// </summary>`
`39`	`39`	`public const string RsaSha512Signature = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";`
`40`		`-`
	`40`	`+ /// <summary>`
	`41`	`+ /// URI for the sha256-rsa-mgf1 signature method for signing XML.`
	`42`	`+ /// </summary>`
	`43`	`+ public const string RsaPssSha256Signature = "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1";`
`41`	`44`	`}`
`42`	`45`	`}`