2

每个人。我有一个谜。这对某人来说可能是显而易见的,因此这是。

大约 10 天前,我的 Service Provider 应用程序在完美运行了几周后开始抛出一个奇怪的错误。我有一个在本地和 Azure 上运行的服务提供商。该应用程序使用 KentorAuthServices 来处理混乱的 XML 和加密位。它运行顺利,然后突然开始抛出错误,“无法创建哈希算法对象。” 我启用了框架调试并将其跟踪到堆栈跟踪摘录的最后一行中指示的位置:

[CryptographicException: Could not create hash algorithm object.]
   System.Security.Cryptography.Xml.Reference.CalculateHashValue(XmlDocument document, CanonicalXmlNodeList refList) +160912
   System.Security.Cryptography.Xml.SignedXml.CheckDigestedReferences() +154
   System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm key) +73

确实,它无法创建哈希算法对象,因为这个 URI 所代表的算法

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

现在声称不受支持,尽管在 KentoAuthServices 中内置了一个自定义处理程序,并且在事件突然发生之前它按预期工作。作为健全性检查,我将 SP 应用程序指向 Kentor 自己的存根 IdP,应用程序的行为与预期一致。同样,我针对 OneLogin 的 SAML 验证实用程序验证了 SAML 响应,我将在下面重现该响应,该实用程序还报告响应有效但算法不受支持。

我知道的事情:

  • Azure AD 证书是最新的、完整的并且可在 LocalMachine 的受信任的根证书存储中访问,并且是在 10 月 10 日的翻转策略更改之后创建的(无论如何,这在此处应该无关紧要)。
  • SP 没有使用任何时髦的自签名证书签署请求;也从来没有。
  • 在本地和 Azure 上,该应用程序都与 SSL 端口挂钩。
  • app的配置——EntityId、Issuer、元数据位置及加载、绑定、请求签名行为;等等——保持不变——除了我的测试,它添加了一个指向存根提供程序的可交换 IdP 引用。
  • Azure AD 成功处理请求并发出响应,否则有效;但是,System.Security.Cryptography 无法为签名创建散列。

我觉得我遗漏了一些明显的东西,除了应用程序从一天到另一天都没有改变的事实;因此,我不得不询问世界上是否有任何变化来解释为什么 rsa-sha256 即将死亡。这是经过编辑的 SAML 请求和响应,供您阅读。大多数识别信息已被删除,但您已经知道它来自 Azure AD,因此证书存在,您可以对其进行验证以进行教育。谢谢,祝你有美好的一天。

<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id1cf99748a239485692824ff1b950b5f9"
Version="2.0"
IssueInstant="2016-11-29T16:44:34Z"
Destination="https://login.windows.net:443/xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2"
AssertionConsumerServiceURL="https://xxxx.azurewebsites.net/AuthServices/Acs">
<saml2:Issuer>https://xxxxx.xxx/federation</saml2:Issuer>
</saml2p:AuthnRequest>

<samlp:Response 
    ID="_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 
    Version="2.0" 
    IssueInstant="2016-11-29T16:44:36.521Z" 
    Destination="https://xxxxxxxx.azurewebsites.net/AuthServices/Acs" 
    InResponseTo="id1cf99748a239485692824ff1b950b5f9" 
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer 
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/
    </Issuer>
    <samlp:Status>
        <samlp:StatusCode 
            Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion 
        ID="_xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx" 
        IssueInstant="2016-11-29T16:44:36.505Z" 
        Version="2.0" 
        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx/</Issuer>
        <ds:Signature 
            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod 
                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod 
                    Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference 
                    URI="#_2a5aa895-bcf1-4f98-87d6-187e7d75338c">
                    <ds:Transforms>
                        <ds:Transform 
                            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform 
                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod 
                        Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                    <ds:DigestValue>
                        HE62WvhO505xxxxxxxxnopQTPfL6LybGYySKUKfBxtY=
                    </ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>E8bvvT1iw148RaVOtlPWWMhPMq121arxJ2lwRd3Boi5Xe3Lw+sc9TgCWsmFa4tcIq0idmYTkYVio4cBDNnzIcMqy28JeeiF53nriO3eyxRQiPeJhyy6JUFnbhWEa6DcYvIbD14izrvdQGuGzULeL8K2cc32xDnCjYZXAWvY4V+iaEJhXqc50bfplUXwTcgo2YzPckmh/+iad0jVFBBj1S7bMDp9+hOvUHgrwU/FIm8H7Y/g6rZZ2mlkEsdRP0WRQfCgI/IHLf1IqUdaGE9hZpqcecmtAiKytWIe/0z/8zzUC3Xp2f+L2XEXMH3Y7iNOyKr38X3FQ/
                OChWEdYLIj3rw==
            </ds:SignatureValue>
            <KeyInfo 
                xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIC8DCCAdigAwIBAgIQNJKIhylW6qVJDAuPDpyGfDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xNjExMjQxNDI2NTlaFw0xNzExMjQxNDI2NTlaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApMAryO4ZkQ5WE+2QOK1oe8cXa00JH4zGDjRF92Nj4s8NrPF+2zR2IwTYV3yH5kTckCYU2+i+jDr4lBRvjG+LSoN9xdUtu4pF9Ya1v6VN6ELWnTtZYSMY7Xh3ztjF7jmWFSEvANTcTLq5wSfbZuDfti6zdJ+TP6DSN6Q3cR0wqdPJbR4NlQdpmIVAIHrpur218IhRSMcodxlKdS47cU7jTb1Vqo9uzRmrz9l5aZnPgxzv2OKHafD7E/eDIUMjkfOoZbNJJIfBy1wrGUHBLdb318VVIMDtym4Xw52TuFJ1O0dWRZU4pGGh8Vo81Hz689i8cTYv0v4bUmUeCE9kHOTHbQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAuoJMRWb3hj0f7Bg8jFTRizA+3sVXI98MKRCmxDHy84LQi5VE8VOW9TXXN8cfPQ0MlFOGg5aeePWMjr4Pmwfq5Q1aZ0JsQszAIhKzIq1jGadwlkAs1VKA37oHa6aa8OrAtLYhA5xwqq5q6oE1AULuC7g697FoSO0Q8MpHl6VCxvuqXzHQ/KYXiJ6hqpHTZN8eliBwio7+xP0O23QdM0sgkO5EvdSiuB5s23e77iutJD8YvD+oOz3QVf9OeOuocK1TtQmFaiI3kkliM1sfWowHjfIOiPjNpSBmEuKiq02XCWTDzkuYCxcRdgVnhRG+/SRqv+OTJIs6vnAWrtsFIbRGt</X509Certificate>
                </X509Data>
            </KeyInfo>
        </ds:Signature>
        <Subject>
            <NameID 
                Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xxxxxxxxx.xxxxxxxxxxxxxxx@Xxxxxxxxxxx.com
            </NameID>
            <SubjectConfirmation 
                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData 
                    InResponseTo="id1cf99748a239485692824ff1b950b5f9" 
                    NotOnOrAfter="2016-11-29T16:49:36.505Z" 
                    Recipient="https://xxxxxxxxxxxxxxxxxxxxxxx.azurewebsites.net/AuthServices/Acs"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions 
            NotBefore="2016-11-29T16:39:36.505Z" 
            NotOnOrAfter="2016-11-29T17:39:36.505Z">
            <AudienceRestriction>
                <Audience>https://xxxxxxxxxxxxxx.com/federation</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute 
                Name="http://schemas.microsoft.com/identity/claims/tenantid">
                <AttributeValue>ccbf68cb-7932-44bd-b015-cb686e0a4441</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
                <AttributeValue>94d0114a-c4b8-4568-bf63-4b597aa65eda</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.microsoft.com/identity/claims/displayname">
                <AttributeValue>xxxxxxxxxxxxxxxxxxxx</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.microsoft.com/identity/claims/identityprovider">
                <AttributeValue>live.com</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
                <AttributeValue>xxxxxxxxxxxxx</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
                <AttributeValue>xxxxxxxxxxxxxxxxxxxxxxx</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
                <AttributeValue>xxxxxxxxxxxxxxxxxxxxx@Xxxxxxxxxxxxxxxxxx.com</AttributeValue>
            </Attribute>
            <Attribute 
                Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <AttributeValue>xxxxxxxxxxxxxxxx.xxxxxxxxxxxx@xxxxxxxxxxxxxxxxxxxx.com</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement 
            AuthnInstant="2016-11-27T02:37:17.000Z" 
            SessionIndex="_xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx">
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>
4

0 回答 0