Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unable to sign with SHA-256

See original GitHub issue

Describe the bug Unable to sign with SHA-256, even updating signingAlgorithm keeps it as SHA-1

To Reproduce

<samlp:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
    Destination="https://contactcenter.np-mylincolnportal.com/saml/SSO"
    ID="_076f5d60-4cd4-402d-b574-c191127efbfd" InResponseTo="a15026df977c8cd4bhigg9i3h99c9g"
    IssueInstant="2019-03-18T22:37:22.543Z" Version="2.0"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sso.lfg.com/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#_076f5d60-4cd4-402d-b574-c191127efbfd">
                <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>la0uwregQ/KZXbnrhT2vbkZm6hc=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>

Where I’m updating signingAlgorithm

    // Setup advanced info about metadata
    @Bean
    public ExtendedMetadata extendedMetadata() {
        ExtendedMetadata extendedMetadata = new ExtendedMetadata();
        extendedMetadata.setIdpDiscoveryEnabled(false);
        extendedMetadata.setSigningAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        extendedMetadata.setSignMetadata(true);
        extendedMetadata.setEcpEnabled(true);
        return extendedMetadata;
    }

Error Response

Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
2019-03-18 18:20:04.615  INFO [gateway,e3fb953e205ec452,e3fb953e205ec452,false] 1 --- [io-8443-exec-10] o.s.security.saml.log.SAMLDefaultLogger  : AuthNResponse;FAILURE;10.192.16.125;lfg-cc-gateway;http://sso.lfg.com/adfs/services/trust;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null

Issue Analytics

  • State:open
  • Created 5 years ago
  • Comments:18 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
garrit-schroedercommented, Mar 9, 2020

Sure i am preparing my conf. Hang on

0reactions
vdenotariscommented, Mar 9, 2020

Sorry folks, I very appreciate your passion, but this is not the right way to manage an issue. The code that have been posted does not iron out the case, but just reflect how to setup custom IdP in Spring SAML.

As stated by @tyleragnew, the SHA mismatch depends on the IdP configuration. In SAML-based authentication, IdP and SP need to agree on the cipher suite when establishing the trust relationship (see https://en.wikipedia.org/wiki/SAML_metadata).

If you run this application against a SHA-256 enabled Identity Provider, everything works accordingly (see: https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/).

Note: the issue is still open just because NO secure application must still rely on SHA-1, since it has been proved to be weak at collision attacks.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Unable to sign with RSA-Sha256. Is the WatchData CSP not a ...
I am trying to sign using a certificate in a WatchData USB token. I use the Microsoft CryptoAPI function CryptSignMessage. If I specifiy...
Read more >
You cannot run an application that is signed with a SHA-256 ...
The application is signed with a Secure Hash Algorithm (SHA)-256 certificate or a certificate with a larger hash value. In this situation, you...
Read more >
SAML Signing with SHA256 Fails with MarshalException
My Oracle Support Banner. SAML Signing with SHA256 Fails with MarshalException (Doc ID 2274967.1). Last updated on NOVEMBER 02, 2021 · Applies to ......
Read more >
Can't sign with SHA256... only SHA1 - Syncfusion
Note: As we said earlier, for the external signing behaviour, we can sign the PDF document with SHA256 digest algorithm only for X509Certificate...
Read more >
Signtool can't do SHA256 signing on Windows 7 - Super User
By using Windows 7 SDK signtool the functions to sign SHA-256 is "unknown commands", so this signtool is obsolete as a signtool and...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Update "How to build" in README

Next page

Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml - me too