我必须验证两个SAML 2.0断言签名。我可以解析所有密钥和令牌参数,现在想使用.NET CryptoUtils.VerifySignature()或其他一些函数来验证签名。我有签名的文本,签名为byte []数组以及哈希OID。我有RSA和SAML令牌参数,例如签名值,模数,指数等。我所缺少的是要发送到.NET VerifySignature()例程中的x509证书。我看不到如何通过参数以编程方式创建证书。
[我也非常感谢有关库c#和Java的任何建议,这些建议将处理创建,解析和验证SAML 2.0令牌(请求和响应)。
在C#中,您可以使用...
System.Security.Cryptography.Xml.SignedXml.CheckSignature(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate, bool verifySignatureOnly)
...以验证签名。基本上,它会像这样工作:
using System.Xml;
using System.Security.Cryptography.X509Certificates;
using System.Security.Cryptography.Xml;
using System.Text;
namespace MySamlDocumentExample
{
public class Saml20Transaction : SignedXml
{
public Saml20Transaction(XmlDocument doc)
: base (doc)
{
}
}
public class SamlVerifier
{
readonly XmlDocument _mySamlDocument = new XmlDocument();
public SamlVerifier(string saml)
{
_mySamlDocument.LoadXml(saml);
}
public X509Certificate2 X509Certificate
{
get
{
return new X509Certificate2(
Encoding.ASCII.GetBytes(X509CertificateString));
}
}
public string X509CertificateString
{
get
{
XmlNodeList xmlNodeList = _mySamlDocument.GetElementsByTagName("X509Certificate");
return xmlNodeList[0].InnerText;
}
}
public bool ValidateSignature()
{
Saml20Transaction saml20Transaction = new Saml20Transaction(_mySamlDocument);
XmlNodeList xmlNodeList = _mySamlDocument.GetElementsByTagName("Signature");
saml20Transaction.LoadXml((XmlElement)xmlNodeList[0]);
return saml20Transaction.CheckSignature(X509Certificate, true);
}
}
}