0

I'm trying to sign an XML using a public key. I'm loading the certificate from a base64 string, provided by the SP. The certificate loads fine, and the public key seems to have information in it, but when I try to use it, I get the following error:

Keyset does not exist

Here's the actual code... any suggestions?? Thanks a lot!

var signingCertificateX509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(Convert.FromBase64String(base64EncryptingCertificate), "password", X509KeyStorageFlags.PersistKeySet);

        SignedXml signedXml = new SignedXml(doc);
        signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
        signedXml.SignedInfo.SignatureMethod = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
        signedXml.SigningKey = signingCertificateX509.PublicKey.Key;
Naner
  • 1,292
  • 6
  • 25
  • 43
  • 3
    Signing, by definition, is demonstrating that the material originated at the source that controls the `private` key. Thus it is not possible to sign anything using RSA in absence of private key. You could use the public key for a symmetric signature (like HMAC or similar), but it makes no sense to do it. – zaitsman Nov 14 '17 at 23:08
  • Thank you @zaitsman. I'm confused then, I guess. The SP has requested that the assertion be encrypted and the whole SAML response be signed. Well, let me edit the question, it will make more sense. – Naner Nov 14 '17 at 23:14
  • If by SP you mean `Service Provider`, then they give you the public keys to VALIDATE their signature, not to sign your payloads – zaitsman Nov 14 '17 at 23:16
  • Alright, so here's what I'm doing, I'm signing the assertion using my private key, then I'm encrypting the assertion using the certificate provided by the service provider, and finally, I'm signing the whole message using my private key. Well, the last part seems to be broken, so I thought that maybe the signing of the message needed to be done using the certificate they provided, thus the question. To be honest, little confused at this point. – Naner Nov 14 '17 at 23:24
  • what does it mean `the last part seems to be broken`? – zaitsman Nov 14 '17 at 23:25
  • Well, I've been trying to make my IdP provide a valid response to the SP, and so far no luck. It seems like the problem is with the signature now. This is all I have... "node has an invalid signature at: node path "/*". local namespace xmlns:="urn:oasis:names:tc:SAML:2.0:protocol". – Naner Nov 14 '17 at 23:28
  • Yeah, so are you sure that SP expects a sha1 signature? you might need to check their documentation more thoroughly. – zaitsman Nov 14 '17 at 23:33

0 Answers0