我是.NET的新手,我正在使用this MSDN指南来验证XML文档中的签名。
我在第7步,在CheckSignature
对象上调用SignedXml
方法。我得到一个ArgumentNullException
,但它不是由我写的任何代码引起的。我知道指南中有名称不匹配,我已在我的代码中更正了它们。
当我查看异常详细信息时,它表示Param name
为name
,并且它已传递到System.Security.Cryptography.CryptoConfig.CreateFromName
方法。我一直在阅读文档和堆栈溢出问题几个小时,我很难过。
编辑:以下是代码。我尝试使用SAML断言附带的证书。我仍然得到相同的结果。
XmlDocument doc = new XmlDocument()
{
PreserveWhitespace = true
};
doc.LoadXml(DecodedAssertion); // this is a SAML assertion that has been base64 decoded
XmlNodeList SignatureNodes = doc.GetElementsByTagName("Signature", "http://www.w3.org/2000/09/xmldsig#");
SignedXml AuthXml = new SignedXml(doc);
foreach (XmlNode Node in SignatureNodes)
{
XElement tmp = XElement.Load(Node.CreateNavigator().ReadSubtree());
XNamespace ds = "http://www.w3.org/2000/09/xmldsig#";
IEnumerable<XElement> certificate =
from el in tmp.Descendants(ds + "X509Certificate")
select el;
string x = certificate.First().Value;
X509Certificate2 cert = new X509Certificate2(Encoding.UTF8.GetBytes(x));
AuthXml.CheckSignature(cert, true);
}
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://fakeurl.com" ID="fakeid" IssueInstant="2015-08-27T13:52:37.356Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk4sxs39xvadTNJp0h7</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#fakeid"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>Lkz8MM61fcUPxu4Yil1LPhaR8+BzPztYICIClnuM/UY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>iNW0vkYnbcC6Q7gQZJ1NMeNkcQa72GFCepJyMmql2gfPZ2W6HFc5HKZp91tzvFMTGfAmfOlP9Ew27HMdyph6JhxG3Nq5JqrwWUa0J8f93hPLcR28Qwoj6ZJKX9JNmyp5koi5H9iF1DSYysDr/LcMikP/E0wOscetIQvY5bm7Ul7CemlPOQAx2gsClV4adGdp7rUCKzC+VSyAlUSZuLe/RHhzXyY+ThwQoA833Fg/LVJxcPv1E5kg8wzxfqInU1icgeS4sVRJSzxcC6h7ePldxgoBiaajtoLGSu0+8lQgT3/6arvcpFfA4uvH4LFxmc+2BDThEyKAbSFI7A7MH2Y6Sw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAUsUmy2MMA0GCSqGSIb3DQEBBQUAMIGVMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDWRvbGJ5ZXh0ZXJuYWwxHDAaBgkqhkiG9w0B
CQEWDWluZm9Ab2t0YS5jb20wHhcNMTUwMTIzMDIyMzQ5WhcNNDUwMTIzMDIyNDQ5WjCBlTELMAkG
A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL
BgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRYwFAYDVQQDDA1kb2xieWV4dGVybmFs
MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA3TGQ4MaLiNbB4hhy6l7AAw575BexpbDKC/AvUrPkpZv0tUAzjnEpzo3hEBaw7jK/yIG0
mXdrmOxr/m9NuSLgMlxgjnnQp5DR5aaTJSFVFlNki4Ly32WgJTKcYKiUId+ocoukqAbzmWudumh8
vMNBthyK5tv/2mGi5qNhZQZlLaPUv+dQxc9lqpBUsNBw4oFUPQacfcx2SyfH2+SAicP6H9iqiRmS
+/Ye7eAux3VZv7cl0uQLMtx+MUYv0Y9JbGhSe8VYkt8P9B9tpolvZ4TVgPjdqPqwc8tJLB9JKY7+
nqVEtbMHr1QMD5WZvDFLvYpAGn2VbK8E122in9Sb0aMQawIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
AQAhmBUwef37u3WYZYFPLgeBDq5Uqg1usa4l+RUbtthz3+kqsHD9av8GyaYa32W2GV/yHMJjDZCo
EAykKVN0578Qt6bwfY7Jn4P6fjaA2eyL8lTbxtUOfnSIBXtuJKBwH3TjnUCvOmjkUausvGGpNOyL
GvVHNqhVDavcN6FbCZqWOnkRoCfmQR49hJj5WPkXfDt0j4WLSWmBQHXKxqyG9EDoaxZSwbsfOS5P
cRYWCPgBsgVAMQHfEQUdfK1FNnLHDxWIbLEnYHqwW+n1gtnK89jj5sRjme7fNxrEVGgS5w1rZG4c
8MJMDVlBEo/Zblh9IeMN+dvdsPKiK1M5MtoZstEt</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="fakeid2" IssueInstant="2015-08-27T13:52:37.356Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/issuergoeshere</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#fakeid2"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>R2Qqgf4W6J5xC9mw5hF/kgoB/0Ks9n1WeGZ+DGPDOPI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>kJMgYFflTmKaSd3kCScEvVYKgoHWhelo+YUjxONJUPxvBC66VUj6zL4ikvXml2UMoUA/i/VePot/numcRtRzOFrFUbIfPgAPjGdyYEQFxjd0UkR2LlFMGDI4XvcRDXbiZCh2GloRreue80sS3xm77YEDqeCgpN0mN11vdSxkWJrUBKJzOjsFriQFkWnk5sfT/6Z8zJwyPnxdY5aKYmhjbNsqrrUWBqSE1TgoMs073CLTWRXYlv318Qzs5sVdzh+nU/Rx66RDvobf2CLH7c3ipKybYq1U3lu2f91Xt9RTLAKRIam4iOvXEZesty+vdFPMxYfxZDr6aEDhJM8kO7ww6w==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAUsUmy2MMA0GCSqGSIb3DQEBBQUAMIGVMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDWRvbGJ5ZXh0ZXJuYWwxHDAaBgkqhkiG9w0B
CQEWDWluZm9Ab2t0YS5jb20wHhcNMTUwMTIzMDIyMzQ5WhcNNDUwMTIzMDIyNDQ5WjCBlTELMAkG
A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL
BgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRYwFAYDVQQDDA1kb2xieWV4dGVybmFs
MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA3TGQ4MaLiNbB4hhy6l7AAw575BexpbDKC/AvUrPkpZv0tUAzjnEpzo3hEBaw7jK/yIG0
mXdrmOxr/m9NuSLgMlxgjnnQp5DR5aaTJSFVFlNki4Ly32WgJTKcYKiUId+ocoukqAbzmWudumh8
vMNBthyK5tv/2mGi5qNhZQZlLaPUv+dQxc9lqpBUsNBw4oFUPQacfcx2SyfH2+SAicP6H9iqiRmS
+/Ye7eAux3VZv7cl0uQLMtx+MUYv0Y9JbGhSe8VYkt8P9B9tpolvZ4TVgPjdqPqwc8tJLB9JKY7+
nqVEtbMHr1QMD5WZvDFLvYpAGn2VbK8E122in9Sb0aMQawIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
AQAhmBUwef37u3WYZYFPLgeBDq5Uqg1usa4l+RUbtthz3+kqsHD9av8GyaYa32W2GV/yHMJjDZCo
EAykKVN0578Qt6bwfY7Jn4P6fjaA2eyL8lTbxtUOfnSIBXtuJKBwH3TjnUCvOmjkUausvGGpNOyL
GvVHNqhVDavcN6FbCZqWOnkRoCfmQR49hJj5WPkXfDt0j4WLSWmBQHXKxqyG9EDoaxZSwbsfOS5P
cRYWCPgBsgVAMQHfEQUdfK1FNnLHDxWIbLEnYHqwW+n1gtnK89jj5sRjme7fNxrEVGgS5w1rZG4c
8MJMDVlBEo/Zblh9IeMN+dvdsPKiK1M5MtoZstEt</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">username@domain.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2015-08-27T13:57:37.356Z" Recipient="http://fakeurl.com"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2015-08-27T13:47:37.356Z" NotOnOrAfter="2015-08-27T13:57:37.356Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AudienceRestriction><saml2:Audience>http://fakeurl.com/metadata</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2015-08-27T13:52:37.356Z" SessionIndex="id1440683557356.976202148" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
答案 0 :(得分:1)
你忘记了第6步。
你可以改变这一行:
AuthXml.CheckSignature(cert, true);
到
AuthXml.LoadXml((XmlElement)Node);
AuthXml.CheckSignature(cert, true);
这很重要的原因是它会隐式设置AuthXml对象的SignatureMethod属性。如果您要在当前代码中测试AuthXml.SignatureMethod属性,您会发现它可能为null,这会导致ArgumentNullException /