My sample code
p>
Dim cert As X509Certificate2 = GetCertificate("Certificate Name")
Dim signedXml As SignedXml = New SignedXml(Me.samlResponseXml)
If ( signedXml.CheckSignature(cert, True)) Then
'The signature is valid
Else
' The signature is invalid
Throw New ArgumentException("Invalid signature found in Saml Xml." )
End If
I have successfully loaded the certificate from the certificate store (line 1 of the code).
I have successfully filled signedXml (line 2 of the code).
p>
An exception is thrown when I call the signedXml.CheckSignature(cert,True) function. The message is not clear:
Value cannot be null.< br> Parameter name: name
What’s wrong here?
Call stack:
System.ArgumentNullException was unhandled by user code
Message=Value cannot be null. Parameter name: name ParamName =name
Source=mscorlib StackTrace:
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key )
at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
at System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2 certificate, Boolean verifySignatureOnly)
at MyNamespace.MyClass. MyFunction() in D:\Projects\MyProject\Test.vb:line 117
Update 1
I opened the .Net Framework source code for debugging, and it was thrown from the SignedXml.CheckSignedInfo method Exception, there is a line of code
SignatureDescription signatureDescription = CryptoConfig.CreateFromName(SignatureMethod) as SignatureDescription;
Obviously, SignatureMethod is a wrapper
< pre>public string SignatureMethod {
get { return m_signature.SignedInfo.SignatureMethod; }
}
m_signature.SignedInfo.SignatureMethod is a null value. I read SignatureMethod again on MSDN at http://msdn.microsoft.com/en- us/library/system.security.cryptography.xml.signedxml.signaturemethod.aspx, and paste the Xml code with the signature part below. I have a SignatureMethod tag that contains the value, but why SignedXml can’t handle it?
fvQx+J90ZGKhwj8Mfhg6v/esOtI= DigestValue>
Ft2mQEA3a39uRq5N94pDI8Y6B/UGLXHkZJ+/besOQmEtZoi630 vBDzQfIxx5Djgg6YYeF / s67iF + KLgfvBrHxoe3E8xiqTwBigem41 + PJdITlwgrOTkLo2sSdj4DaFdxeN + SCy6KfKXpDBvDyN4i / R0hBKodGwytfzK / DMeOhHU = SignatureValue>
MIICBjCCAXOgAwIBAgIQ3VhOVESMV71O0q5EttLxxDAJBgUrDgMCHQUAMBwxGjAYBgNVBAMTEUlkZW50aXR5UHJvdmlkZXIxMB4XDTExMDkwMTA1MDAwMFoXDTQwMTIzMTA1MDAwMFowHDEaMBgGA1UEAxMRSWRlbnRpdHlQcm92aWRlcjEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMBVhtKneTweMOgmvwO + i8AvZ5p0 / PGatzLKNXVctTROcXb48u3L9JR3sVPasAFNsafq086xqaWyuFM7jAHtYHTQg / oLt + wGCKd7w / n4s0crxM3NVahDmSUPnBW9RZM2XD4pOs9DTu8aEEQGN / p01jrIMgPYhdlVsTJSg43lLyzjAgMBAAGjUTBPME0GA1UdAQRGMESAEHDoTOJwf2lSgqgCU4TXI2ShHjAcMRowGAYDVQQDExFJZGVudGl0eVByb3ZpZGVyMYIQ3VhOVESMV71O0q5EttLxxDAJBgUrDgMCHQUAA4GBAKvsy5KkU9dDNWDRW55 / + s7txFfl4ZmWw45AmZYXEA90g + xzALFtWbX / QGqCOx4C0h5fB5Oco084B7gJK / uf2a8oaYvxYGwlxgRxJ9Dq5XBx5ZhOuobT8G2xVy575cbaGnFbObG6 / E33Mva1gAYdw7rvGaz / dYuBeChsEIvzROYU X509Certificate>
X509Data>
KeyInfo>
Signature> pre> div >SignedXml requires two steps to verify. The first step is the construction, in which it will find the signed element Document or element. The second part is that you have to load the Signature element (which may come from a different document) through the LoadXml method.To get the example from the SignedXml MSDN page, but to modify it for the certificate :
public static Boolean VerifyXmlFile(XmlElement samlResponseXml, X509Certificate2 cert)
{
// Create a new SignedXml object and pass it the XML.
SignedXml signedXml = new SignedXml(samlResponseXml);
// Find the "Signature" node and create a new XmlNodeList object.
XmlNodeList nodeList = xmlDocument.GetElementsByTagName("Signature");
// TODO: Error checking. Was it found? Were too many found?
// Load the signature node.
signedXml.LoadXml((XmlElement) nodeList[0]);
// Check the signature and return the result.
return signedXml.CheckSignature(cert, true);
}When using SignedXml, please pay attention to the issues in the "Remarks" section on the MSDN page. In particular, make sure that the signing key is suitable for the signature content (similar to performing hostname verification during a TLS session).
p>
I am writing a piece of code to verify the Xml signature in the X509 certificate and get the exception message in the subject line.
My sample code
< pre>Dim cert As X509Certificate2 = GetCertificate("Certificate Name")
Dim signedXml As SignedXml = New SignedXml(Me.samlResponseXml)
If (signedXml.CheckSignature(cert, True)) Then
'The signature is valid
Else
' The signature is invalid
Throw New ArgumentException("Invalid signature found in Saml Xml.")
End If
I have successfully loaded the certificate from the certificate store (line 1 of the code).
I have successfully filled signedXml (line 2 of the code).
When I call signedXml. An exception is thrown in the CheckSignature(cert,True) function. The message is very unclear:
Value cannot be null.
Parameter name: name
What’s wrong here?
Call stack:
System.ArgumentNullException was unhandled by user code
Message=Value cannot be null. Parameter name: name ParamName =name
Source=mscorlib StackTrace:
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
at System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm key )
at System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key)
at System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2 certificate, Boolean verifySignatureOnly)
at MyNamespace.MyClass. MyFunction() in D:\Projects\MyProject\Test.vb:line 117
Update 1
I opened the .Net Framework source code for debugging, and it was thrown from the SignedXml.CheckSignedInfo method Exception, there is a line of code
SignatureDescription signatureDescription = CryptoConfig.CreateFromName(SignatureMethod) as SignatureDescription;
Obviously, SignatureMethod is a wrapper
< pre>public string SignatureMethod {
get {return m_s ignature.SignedInfo.SignatureMethod; }
}
m_signature.SignedInfo.SignatureMethod is a null value. I read SignatureMethod again on MSDN at http://msdn.microsoft.com/en-us /library/system.security.cryptography.xml.signedxml.signaturemethod.aspx, and paste the Xml code with the signature part below. I have a SignatureMethod tag that contains a value, but why SignedXml can’t handle it?
fvQx+J90ZGKhwj8Mfhg6v/esOtI= DigestValue>
Ft2mQEA3a39uRq5N94pDI8Y6B/UGLXHkZJ+/besOQmEtZoi630vB DzQfIxx5Djgg6YYeF / s67iF + KLgfvBrHxoe3E8xiqTwBigem41 + PJdITlwgrOTkLo2sSdj4DaFdxeN + SCy6KfKXpDBvDyN4i / R0hBKodGwytfzK / DMeOhHU = SignatureValue>
MIICBjCCAXOgAwIBAgIQ3VhOVESMV71O0q5EttLxxDAJBgUrDgMCHQUAMBwxGjAYBgNVBAMTEUlkZW50aXR5UHJvdmlkZXIxMB4XDTExMDkwMTA1MDAwMFoXDTQwMTIzMTA1MDAwMFowHDEaMBgGA1UEAxMRSWRlbnRpdHlQcm92aWRlcjEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMBVhtKneTweMOgmvwO + i8AvZ5p0 / PGatzLKNXVctTROcXb48u3L9JR3sVPasAFNsafq086xqaWyuFM7jAHtYHTQg / oLt + wGCKd7w / n4s0crxM3NVahDmSUPnBW9RZM2XD4pOs9DTu8aEEQGN / p01jrIMgPYhdlVsTJSg43lLyzjAgMBAAGjUTBPME0GA1UdAQRGMESAEHDoTOJwf2lSgqgCU4TXI2ShHjAcMRowGAYDVQQDExFJZGVudGl0eVByb3ZpZGVyMYIQ3VhOVESMV71O0q5EttLxxDAJBgUrDgMCHQUAA4GBAKvsy5KkU9dDNWDRW55 / + s7txFfl4ZmWw45AmZYXEA90g + xzALFtWbX / QGqCOx4C0h5fB5Oco084B7gJK / uf2a8oaYvxYGwlxgRxJ9Dq5XBx5ZhOuobT8G2xVy575cbaGnFbObG6 / E33Mva1gAYdw7rvGaz / dYuBeChsEIvzROYU X509Certificate>
X509Data>
KeyInfo>
Signature> pre> p >< /p>
SignedXml requires two steps to verify. The first step is the construction, in which it provides the document or element in which the signed element will be found. The second part is that you must load the Signature element through the LoadXml method ( May come from different documents).
To get the example from the SignedXml MSDN page, but modify it for the certificate:
public static Boolean VerifyXmlFile(XmlElement samlResponseXml, X509Certificate2 cert)
{
// Create a new SignedXml object and pass it the XML.
SignedXml signedXml = new SignedXml(samlResponseXml);
// Find the "Signature" node and create a new XmlNodeList object.
XmlNodeList nodeList = xmlDocument.GetElementsByTagName("Signature");
// TODO: Error checking. Was it found? Were too many found?
// Load the signature node.
signedXml.LoadXml((XmlElement)nodeList[0]);
// Check the signature and return the result.
return signedXml.CheckSignature(cert, true);
}When using SignedXml, please pay attention to the issues in the "Remarks" section on the MSDN page. In particular, make sure that the signing key is suitable for signing the content (similar to performing hostname verification during a TLS session).