DigestAlgorithm cannot be determined for SigningAlgorithm PS256

[ritocesura]

Sustainsys.Saml2.AspNetCore2
Version 2.9.0

The SAML configuration of the service provider looks as follows:

services.AddAuthentication()
    .AddSaml2("...", options =>
    {
        options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
        options.SignOutScheme = IdentityServerConstants.DefaultCookieAuthenticationScheme;
        options.SPOptions.EntityId = new EntityId("...");
        options.SPOptions.PublicOrigin = new Uri("...");
        options.SPOptions.OutboundSigningAlgorithm = "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1";
        options.SPOptions.ServiceCertificates.Add(new X509Certificate2("...", "..."));

        options.IdentityProviders.Add(
            new IdentityProvider(
                new EntityId("..."), options.SPOptions)
            {
                MetadataLocation = "...",
                LoadMetadata = true
            });
    });

I need the AuthnRequest to be signed with PS256 (sha256-rsa-MGF1). But when the application tries to sign, the following exception is thrown:
System.InvalidOperationException: Unable to find a digest algorithm for the signing algorithm http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1

Can you kindly guide me on what else I need to configure to have my AuthnRequest signed with PS256 algorithm?

[ritocesura]

After investigating a little further, it seems that the error message is a good indicator of what is going wrong.
SigningAlgorithm http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 is used to get the corresponding DigestAlgorithm, which should be http://www.w3.org/2001/04/xmlenc#sha256.

The GetCorrespondingDigestAlgorithm method tries to get a DigestAlgorithm ending with "MGF1" which fails:

Saml2/legacy/Sustainsys.Saml2.Metadata/Helpers/XmlHelpers.cs

Lines 586 to 598 in 3bedefb

	internal static string GetCorrespondingDigestAlgorithm(string signingAlgorithm)
	{
	var matchPattern = signingAlgorithm.Substring(signingAlgorithm.LastIndexOf('-') + 1);
	string match = DigestAlgorithms.FirstOrDefault(a => a.EndsWith(
	matchPattern,
	StringComparison.Ordinal));
	if (match == null)
	{
	throw new InvalidOperationException(
	$"Unable to find a digest algorithm for the signing algorithm {signingAlgorithm}");
	}
	return match;
	}

Is there a possibility to either (1) set the DigestAlgorithm in the config or (2) change the way the Digest-Algorithm is determined?

The external Idp does not allow for any other Signing- or DigestAlgorithms.

[AndersAbel]

This is a scenario that is new to me. There is no way to handle this in the 1.x or 2.x versions. However, I would be happy to include it in 3.x. The code for XML signature handling is available in the develop branch so it's possible to have look at how to improve it.

[LeThai96]

Hello @ritocesura, I have the same problem. Do you have any solution?

[zesaro]

I think I have a similar problem. I need to use "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1" but I get the following errors using .NET 8.

• SPOptions.OutboundSigningAlgorithm: InvalidOperationException: Unable to find a digest algorithm for the signing algorithm http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1
• SPOptions.MinIncomingSigningAlgorithm: ArgumentException: The signing algorithm http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 is unknown or not supported by the current .NET Framework.

Were you able to solve it in your scenario, @ritocesura? (@LeThai96)

[ritocesura]

@zesaro @LeThai96 Due to time constraints, I had to change to a different library

[LeThai96]

@zesaro as I know, the sha256-rsa-MGF1 algorithm is not supported by .NET. I have to switch to a different library. You can take a look at ComponentSpace, they support the algorithm which is implemented with BouncyCastle.NET