Upgrated from .NET 4.5 to .NET 4.6.2.

Support added for SHA384/SHA512 using .NET library and custom code removed.
Load Assertion in new XmlDocument before signature validation.
Bug fixes.

Author: Revsgaard

src/ITfoxtec.Identity.Saml2.Mvc/ITfoxtec.Identity.Saml2.Mvc.csproj

@@ -9,7 +9,7 @@
     <AppDesignerFolder>Properties</AppDesignerFolder>
     <RootNamespace>ITfoxtec.Identity.Saml2.Mvc</RootNamespace>
     <AssemblyName>ITfoxtec.Identity.Saml2.Mvc</AssemblyName>
-    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <TargetFrameworkVersion>v4.6.2</TargetFrameworkVersion>
     <FileAlignment>512</FileAlignment>
     <TargetFrameworkProfile />
     <SccProjectName>SAK</SccProjectName>

src/ITfoxtec.Identity.Saml2.Mvc/Properties/AssemblyInfo.cs

@@ -4,12 +4,12 @@
 // General Information about an assembly is controlled through the following 
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
-[assembly: AssemblyTitle("ITfoxtec.Identity.Saml2.Mvc")]
+[assembly: AssemblyTitle("ITfoxtec Identity SAML 2.0 MVC")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("ITfoxtec")]
 [assembly: AssemblyProduct("ITfoxtec.Identity.Saml2.Mvc")]
-[assembly: AssemblyCopyright("Copyright ©  2016")]
+[assembly: AssemblyCopyright("Copyright © 2017")]
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 
@@ -30,6 +30,5 @@
 //
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
-// [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.1.1.0")]
-[assembly: AssemblyFileVersion("1.1.1.0")]
+[assembly: AssemblyVersion("2.0.0.0")]
+[assembly: AssemblyFileVersion("2.0.0.0")]

src/ITfoxtec.Identity.Saml2.MvcCore/Configuration/Saml2ServiceCollectionExtensions.cs

@@ -9,10 +9,8 @@ public static class Saml2ServiceCollectionExtensions
         /// <summary>
         /// Add SAML 2.0 configuration.
         /// </summary>
-        public static IServiceCollection AddSaml2(this IServiceCollection services, Saml2Configuration configuration)
-        {           
-            services.AddSingleton(configuration);
-
+        public static IServiceCollection AddSaml2(this IServiceCollection services)
+        {
             services.AddAuthentication(Saml2Constants.AuthenticationScheme)
                 .AddCookie(Saml2Constants.AuthenticationScheme, o =>
                 {

src/ITfoxtec.Identity.Saml2.MvcCore/ITfoxtec.Identity.Saml2.MvcCore.csproj

@@ -3,13 +3,15 @@
   <PropertyGroup>
     <AssemblyTitle>ITfoxtec.Identity.Saml2.MvcCore</AssemblyTitle>
     <VersionPrefix>2.0.0.0</VersionPrefix>
-    <TargetFramework>net461</TargetFramework>
+    <TargetFramework>net462</TargetFramework>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <AssemblyName>ITfoxtec.Identity.Saml2.MvcCore</AssemblyName>
-    <PackageId>ITfoxtec.Identity.Saml2.MvcCore</PackageId>
+    <PackageId>ITfoxtec Identity SAML 2.0 MVC Core</PackageId>
     <GenerateAssemblyConfigurationAttribute>false</GenerateAssemblyConfigurationAttribute>
     <GenerateAssemblyCompanyAttribute>false</GenerateAssemblyCompanyAttribute>
     <GenerateAssemblyProductAttribute>false</GenerateAssemblyProductAttribute>
+    <Copyright>Copyright © 2017</Copyright>
+    <Authors />
   </PropertyGroup>
 
   <ItemGroup>

src/ITfoxtec.Identity.Saml2/Bindings/Saml2Binding.cs

@@ -47,9 +47,9 @@ protected virtual Saml2Binding<T> BindInternal(Saml2Request saml2RequestResponse
 
             if (saml2RequestResponse.Config.SigningCertificate != null)
             {
-                if (saml2RequestResponse.Config.SigningCertificate.PrivateKey == null)
+                if (saml2RequestResponse.Config.SigningCertificate.GetRSAPrivateKey() == null)
                 {
-                    throw new ArgumentException("No Private Key present in Signing Certificate or missing private key read credentials.");
+                    throw new ArgumentException("No RSA Private Key present in Signing Certificate or missing private key read credentials.");
                 }
             }
 
@@ -89,8 +89,8 @@ protected Saml2Request UnbindInternal(HttpRequest request, Saml2Request saml2Req
             if (saml2RequestResponse.SignatureAlgorithm == null)
                 saml2RequestResponse.SignatureAlgorithm = saml2RequestResponse.Config.SignatureAlgorithm;
 
-            if (saml2RequestResponse.SignatureValidationCertificates != null && saml2RequestResponse.SignatureValidationCertificates.Count(c => c.PublicKey == null) > 0)
-                throw new ArgumentException("No Public Key present in at least Signature Validation Certificate.");
+            if (saml2RequestResponse.SignatureValidationCertificates != null && saml2RequestResponse.SignatureValidationCertificates.Count(c => c.GetRSAPublicKey() == null) > 0)
+                throw new ArgumentException("No RSA Public Key present in at least Signature Validation Certificate.");
 
             return saml2RequestResponse;
         }

src/ITfoxtec.Identity.Saml2/Bindings/Saml2PostBinding.cs

@@ -32,7 +32,7 @@ protected override Saml2PostBinding BindInternal(Saml2Request saml2RequestRespon
         {
             BindInternal(saml2RequestResponse);
 
-            if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
+            if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest)  && saml2RequestResponse.Config.SigningCertificate != null)
             {
                 Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);
                 XmlDocument = XmlDocument.SignDocument(saml2RequestResponse.Config.SigningCertificate, saml2RequestResponse.Config.SignatureAlgorithm, CertificateIncludeOption, saml2RequestResponse.Id.Value);
@@ -65,7 +65,7 @@ you must press the Continue button once to proceed.
             yield return string.Format(
 @"<input type=""hidden"" name=""{0}"" value=""{1}""/>", messageName, Convert.ToBase64String(Encoding.UTF8.GetBytes(XmlDocument.OuterXml)));
 
-            if (!string.IsNullOrWhiteSpace(RelayState))
+            if(!string.IsNullOrWhiteSpace(RelayState))
             {
                 yield return string.Format(
 @"<input type=""hidden"" name=""{0}"" value=""{1}""/>", Saml2Constants.Message.RelayState, WebUtility.HtmlEncode(RelayState));

src/ITfoxtec.Identity.Saml2/Bindings/Saml2RedirectBinding.cs

@@ -10,7 +10,6 @@
 using System.Security.Cryptography.X509Certificates;
 using ITfoxtec.Identity.Saml2.Util;
 using ITfoxtec.Identity.Saml2.Http;
-using System.IdentityModel.Tokens;
 
 namespace ITfoxtec.Identity.Saml2
 {
@@ -40,7 +39,7 @@ protected override Saml2RedirectBinding BindInternal(Saml2Request saml2RequestRe
 
             return this;
         }
-
+        
         private string SigneQueryString(string queryString, X509Certificate2 signingCertificate)
         {
             var saml2Signed = new Saml2SignedText(signingCertificate, SignatureAlgorithm);
@@ -58,7 +57,7 @@ private IEnumerable<string> RequestQueryString(Saml2Request saml2RequestResponse
                 yield return string.Join("=", Saml2Constants.Message.RelayState, Uri.EscapeDataString(RelayState));
             }
 
-            if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
+            if((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && saml2RequestResponse.Config.SigningCertificate != null)
             {
                 yield return string.Join("=", Saml2Constants.Message.SigAlg, Uri.EscapeDataString(SignatureAlgorithm));
             }
@@ -88,13 +87,13 @@ protected override Saml2Request UnbindInternal(HttpRequest request, Saml2Request
             if (!request.Query.AllKeys.Contains(messageName))
                 throw new Saml2BindingException("HTTP Query String does not contain " + messageName);
 
-            if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) &&
-                saml2RequestResponse.Config.SignatureValidationCertificates != null && saml2RequestResponse.Config.SignatureValidationCertificates.Count() > 0)
+            if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && 
+                saml2RequestResponse.SignatureValidationCertificates != null && saml2RequestResponse.SignatureValidationCertificates.Count() > 0)
             {
-                if (!request.Query.AllKeys.Contains(Saml2Constants.Message.Signature))
+                if(!request.Query.AllKeys.Contains(Saml2Constants.Message.Signature))
                     throw new Saml2BindingException("HTTP Query String does not contain " + Saml2Constants.Message.Signature);
 
-                if (!request.Query.AllKeys.Contains(Saml2Constants.Message.SigAlg))
+                if(!request.Query.AllKeys.Contains(Saml2Constants.Message.SigAlg))
                     throw new Saml2BindingException("HTTP Query String does not contain " + Saml2Constants.Message.SigAlg);
             }
 
@@ -103,23 +102,23 @@ protected override Saml2Request UnbindInternal(HttpRequest request, Saml2Request
                 RelayState = request.Query[Saml2Constants.Message.RelayState];
             }
 
-            if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) &&
-                saml2RequestResponse.Config.SignatureValidationCertificates != null && saml2RequestResponse.Config.SignatureValidationCertificates.Count() > 0)
+            if ((!(saml2RequestResponse is Saml2AuthnRequest) || saml2RequestResponse.Config.SignAuthnRequest) && 
+                saml2RequestResponse.SignatureValidationCertificates != null && saml2RequestResponse.SignatureValidationCertificates.Count() > 0)
             {
                 var actualAignatureAlgorithm = request.Query[Saml2Constants.Message.SigAlg];
-                if (saml2RequestResponse.Config.SignatureAlgorithm == null)
+                if (saml2RequestResponse.SignatureAlgorithm == null)
                 {
-                    saml2RequestResponse.Config.SignatureAlgorithm = actualAignatureAlgorithm;
+                    saml2RequestResponse.SignatureAlgorithm = actualAignatureAlgorithm;
                 }
-                else if (!saml2RequestResponse.Config.SignatureAlgorithm.Equals(actualAignatureAlgorithm, StringComparison.InvariantCulture))
+                else if (!saml2RequestResponse.SignatureAlgorithm.Equals(actualAignatureAlgorithm, StringComparison.InvariantCulture))
                 {
-                    throw new Exception($"Signature Algorithm do not match. Expected algorithm {saml2RequestResponse.Config.SignatureAlgorithm} actual algorithm {actualAignatureAlgorithm}");
+                    throw new Exception($"Signature Algorithm do not match. Expected algorithm {saml2RequestResponse.SignatureAlgorithm} actual algorithm {actualAignatureAlgorithm}");
                 }
-                Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.Config.SignatureAlgorithm);
-                SignatureAlgorithm = saml2RequestResponse.Config.SignatureAlgorithm;
+                Cryptography.SignatureAlgorithm.ValidateAlgorithm(saml2RequestResponse.SignatureAlgorithm);
+                SignatureAlgorithm = saml2RequestResponse.SignatureAlgorithm;
 
                 Signature = request.Query[Saml2Constants.Message.Signature];
-                ValidateQueryStringSignature(saml2RequestResponse, request.QueryString, messageName, Convert.FromBase64String(Signature), saml2RequestResponse.Config.SignatureValidationCertificates);
+                ValidateQueryStringSignature(saml2RequestResponse, request.QueryString, messageName, Convert.FromBase64String(Signature), saml2RequestResponse.SignatureValidationCertificates);
             }
 
             return Read(request, saml2RequestResponse, messageName, false);

src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs

@@ -1,7 +1,7 @@
 using System;
 using System.Collections.Generic;
-using System.IdentityModel.Tokens;
 using System.Security.Cryptography.X509Certificates;
+using System.Security.Cryptography.Xml;
 using System.ServiceModel.Security;
 
 namespace ITfoxtec.Identity.Saml2
@@ -17,7 +17,7 @@ public class Saml2Configuration
 
         public Uri SingleLogoutDestination { get; set; }
 
-        public string SignatureAlgorithm { get; set; } = SecurityAlgorithms.RsaSha256Signature;
+        public string SignatureAlgorithm { get; set; } = SignedXml.XmlDsigRSASHA256Url;
 
         public X509Certificate2 SigningCertificate { get; set; }
         public X509Certificate2 DecryptionCertificate { get; set; }

src/ITfoxtec.Identity.Saml2/Cryptography/Saml2SignedText.cs

@@ -5,23 +5,25 @@ namespace ITfoxtec.Identity.Saml2.Cryptography
 {
     public class Saml2SignedText
     {
-        public Saml2Signer saml2Signer { get; protected set; }
+        public Saml2Signer Saml2Signer { get; protected set; }
 
         public Saml2SignedText(X509Certificate2 certificate, string signatureAlgorithm)
         {
             if (certificate == null) throw new ArgumentNullException(nameof(certificate));
 
-            saml2Signer = new Saml2Signer(certificate, signatureAlgorithm);
+            Saml2Signer = new Saml2Signer(certificate, signatureAlgorithm);
         }
 
         public byte[] SignData(byte[] input)
         {
-            return saml2Signer.CreateFormatter().CreateSignature(saml2Signer.HashAlgorithm.ComputeHash(input));
+            var formatter = Saml2Signer.CreateFormatter();
+            return formatter.CreateSignature(Saml2Signer.HashAlgorithm.ComputeHash(input));
         }
 
         internal bool CheckSignature(byte[] input, byte[] signature)
         {
-            return saml2Signer.CreateDeformatter().VerifySignature(saml2Signer.HashAlgorithm.ComputeHash(input), signature);
+            var deformatter = Saml2Signer.CreateDeformatter();
+            return deformatter.VerifySignature(Saml2Signer.HashAlgorithm.ComputeHash(input), signature);
         }
     }
 }

src/ITfoxtec.Identity.Saml2/Cryptography/Saml2SignedXml.cs

@@ -1,7 +1,4 @@
 using System;
-using System.IdentityModel.Tokens;
-using System.Reflection;
-using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Security.Cryptography.Xml;
 using System.Xml;
@@ -10,123 +7,38 @@ namespace ITfoxtec.Identity.Saml2.Cryptography
 {
     public class Saml2SignedXml : SignedXml
     {
-        public XmlElement Element { get; protected set; }
-        public Saml2Signer saml2Signer { get; protected set; }
+        public Saml2Signer Saml2Signer { get; protected set; }
 
         public Saml2SignedXml(XmlElement element, X509Certificate2 certificate, string signatureAlgorithm) : base(element)
         {
-            if (element == null) throw new ArgumentNullException(nameof(element));
             if (certificate == null) throw new ArgumentNullException(nameof(certificate));
+            if (signatureAlgorithm == null) throw new ArgumentNullException(nameof(signatureAlgorithm));
 
-            Element = element;
-            saml2Signer = new Saml2Signer(certificate, signatureAlgorithm);
+            Saml2Signer = new Saml2Signer(certificate, signatureAlgorithm);
         }
 
         public void ComputeSignature(X509IncludeOption includeOption, string id)
         {
-            SignedInfo.SignatureMethod = saml2Signer.SignatureAlgorithm;
-            SignedInfo.CanonicalizationMethod = XmlDsigExcC14NTransformUrl;
-
             var reference = new Reference("#" + id);
             reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
             reference.AddTransform(new XmlDsigExcC14NTransform());
-            reference.DigestMethod = SignatureAlgorithm.DigestMethod(saml2Signer.SignatureAlgorithm);
+            reference.DigestMethod = SignatureAlgorithm.DigestMethod(Saml2Signer.SignatureAlgorithm);
             AddReference(reference);
 
-            // SignedXml do not support SHA256 this is a hack to support both SHA1 and SHA256
-            ComputeSignatureInternal();
+            SignedInfo.CanonicalizationMethod = XmlDsigExcC14NTransformUrl;
+            SignedInfo.SignatureMethod = Saml2Signer.SignatureAlgorithm;
+            SigningKey = Saml2Signer.Certificate.GetRSAPrivateKey();
+            ComputeSignature();
 
             KeyInfo = new KeyInfo();
-            KeyInfo.AddClause(new KeyInfoX509Data(saml2Signer.Certificate, includeOption));
+            KeyInfo.AddClause(new KeyInfoX509Data(Saml2Signer.Certificate, includeOption));
         }
 
         public new bool CheckSignature()
         {
-            ValidateSignature();
-
-            var signatureAlgorithm = saml2Signer.SignatureAlgorithm;
-            var actualAignatureAlgorithm = m_signature.SignedInfo.SignatureMethod;
-            if (signatureAlgorithm == null)
-            {
-                signatureAlgorithm = actualAignatureAlgorithm;
-                SignatureAlgorithm.ValidateAlgorithm(signatureAlgorithm);
-            }
-            else if (!signatureAlgorithm.Equals(actualAignatureAlgorithm, StringComparison.InvariantCulture))
-            {
-                throw new CryptographicException($"Signature Algorithm do not match. Expected algorithm {signatureAlgorithm} actual algorithm {actualAignatureAlgorithm}");
-            }
-
-            // SignedXml do not support SHA256 this is a hack to support both SHA1 and SHA256
-            if (!CheckSignatureInternal(signatureAlgorithm))
-            {
-                return false;
-            }
-
-            return true;
-        }
-
-        private void ValidateSignature()
-        {
-            if (SignedInfo.References.Count != 1)
-            {
-                throw new CryptographicException("There is not exactly one Signature Reference.");
-            }
-
-            var reference = SignedInfo.References[0] as Reference;
-            var referenceElement = GetIdElement(Element.OwnerDocument, reference.Uri.Substring(1));
-
-            if (referenceElement != Element)
-            {
-                throw new CryptographicException("Signature Reference is Incorrect reference.");
-            }
-        }
-
-        private void ComputeSignatureInternal()
-        {
-            BuildDigestedReferencesInvoker();
-
-            var formatter = saml2Signer.CreateFormatter();
-            byte[] hashvalue = GetC14NDigestInvoker(saml2Signer.HashAlgorithm);
-
-            m_signature.SignatureValue = formatter.CreateSignature(hashvalue);
-        }
-
-        private bool CheckSignatureInternal(string signatureAlgorithm)
-        {
-            if (!CheckSignedInfoInternal(signatureAlgorithm))
-            {
-                return false;
-            }
-
-            if (!CheckDigestedReferencesInvoker())
-            {
-                return false;
-            }
-
-            return true;
-        }
-
-        private bool CheckSignedInfoInternal(string signatureAlgorithm)
-        {
-            var deformatter = saml2Signer.CreateDeformatter(signatureAlgorithm);
-            byte[] hashvalue = GetC14NDigestInvoker(saml2Signer.HashAlgorithm);
-
-            return deformatter.VerifySignature(hashvalue, m_signature.SignatureValue);
-        }
-
-        private void BuildDigestedReferencesInvoker()
-        {
-            typeof(SignedXml).InvokeMember("BuildDigestedReferences", BindingFlags.Instance | BindingFlags.InvokeMethod | BindingFlags.NonPublic, null, this, null);
-        }
-
-        private byte[] GetC14NDigestInvoker(HashAlgorithm hash)
-        {
-            return (byte[])typeof(SignedXml).InvokeMember("GetC14NDigest", BindingFlags.Instance | BindingFlags.InvokeMethod | BindingFlags.NonPublic, null, this, new object[] { hash });
-        }
-
-        private bool CheckDigestedReferencesInvoker()
-        {
-            return (bool)typeof(SignedXml).InvokeMember("CheckDigestedReferences", BindingFlags.Instance | BindingFlags.InvokeMethod | BindingFlags.NonPublic, null, this, null);
+            SignedInfo.CanonicalizationMethod = XmlDsigExcC14NTransformUrl;
+            SignedInfo.SignatureMethod = Saml2Signer.SignatureAlgorithm;
+            return CheckSignature(Saml2Signer.Certificate, true);
         }
     }
 }