Unable to sign with SHA-256
See original GitHub issueDescribe the bug Unable to sign with SHA-256, even updating signingAlgorithm keeps it as SHA-1
To Reproduce
<samlp:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://contactcenter.np-mylincolnportal.com/saml/SSO"
ID="_076f5d60-4cd4-402d-b574-c191127efbfd" InResponseTo="a15026df977c8cd4bhigg9i3h99c9g"
IssueInstant="2019-03-18T22:37:22.543Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sso.lfg.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_076f5d60-4cd4-402d-b574-c191127efbfd">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>la0uwregQ/KZXbnrhT2vbkZm6hc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
Where I’m updating signingAlgorithm
// Setup advanced info about metadata
@Bean
public ExtendedMetadata extendedMetadata() {
ExtendedMetadata extendedMetadata = new ExtendedMetadata();
extendedMetadata.setIdpDiscoveryEnabled(false);
extendedMetadata.setSigningAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
extendedMetadata.setSignMetadata(true);
extendedMetadata.setEcpEnabled(true);
return extendedMetadata;
}
Error Response
Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
2019-03-18 18:20:04.615 INFO [gateway,e3fb953e205ec452,e3fb953e205ec452,false] 1 --- [io-8443-exec-10] o.s.security.saml.log.SAMLDefaultLogger : AuthNResponse;FAILURE;10.192.16.125;lfg-cc-gateway;http://sso.lfg.com/adfs/services/trust;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
Issue Analytics
- State:
- Created 5 years ago
- Comments:18 (3 by maintainers)
Top Results From Across the Web
Unable to sign with RSA-Sha256. Is the WatchData CSP not a ...
I am trying to sign using a certificate in a WatchData USB token. I use the Microsoft CryptoAPI function CryptSignMessage. If I specifiy...
Read more >You cannot run an application that is signed with a SHA-256 ...
The application is signed with a Secure Hash Algorithm (SHA)-256 certificate or a certificate with a larger hash value. In this situation, you...
Read more >SAML Signing with SHA256 Fails with MarshalException
My Oracle Support Banner. SAML Signing with SHA256 Fails with MarshalException (Doc ID 2274967.1). Last updated on NOVEMBER 02, 2021 · Applies to ......
Read more >Can't sign with SHA256... only SHA1 - Syncfusion
Note: As we said earlier, for the external signing behaviour, we can sign the PDF document with SHA256 digest algorithm only for X509Certificate...
Read more >Signtool can't do SHA256 signing on Windows 7 - Super User
By using Windows 7 SDK signtool the functions to sign SHA-256 is "unknown commands", so this signtool is obsolete as a signtool and...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Sure i am preparing my conf. Hang on
Sorry folks, I very appreciate your passion, but this is not the right way to manage an issue. The code that have been posted does not iron out the case, but just reflect how to setup custom IdP in Spring SAML.
As stated by @tyleragnew, the SHA mismatch depends on the IdP configuration. In SAML-based authentication, IdP and SP need to agree on the cipher suite when establishing the trust relationship (see https://en.wikipedia.org/wiki/SAML_metadata).
If you run this application against a SHA-256 enabled Identity Provider, everything works accordingly (see: https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/).
Note: the issue is still open just because NO secure application must still rely on SHA-1, since it has been proved to be weak at collision attacks.