I'm pretty new to .NET and I'm folliwing this MSDN guide on verifying signatures in XML Documents.
I'm at step 7 where the CheckSignature method is being called on the SignedXml object. I'm getting an ArgumentNullException, but it's not being caused by any of the code that I wrote. I know there are name mismatches in the guide and I've corrected them in my code.
When I look at the exception details, it says Param name is name and it's being passed into the System.Security.Cryptography.CryptoConfig.CreateFromName method. I've been reading documentation and stack overflow questions for hours and I'm stumped.
Edit: Here's the code. I tried going the route of using the certificate that comes with the SAML assertion. I still get the same result.
XmlDocument doc = new XmlDocument()
{
PreserveWhitespace = true
};
doc.LoadXml(DecodedAssertion); // this is a SAML assertion that has been base64 decoded
XmlNodeList SignatureNodes = doc.GetElementsByTagName("Signature", "http://www.w3.org/2000/09/xmldsig#");
SignedXml AuthXml = new SignedXml(doc);
foreach (XmlNode Node in SignatureNodes)
{
XElement tmp = XElement.Load(Node.CreateNavigator().ReadSubtree());
XNamespace ds = "http://www.w3.org/2000/09/xmldsig#";
IEnumerable<XElement> certificate =
from el in tmp.Descendants(ds + "X509Certificate")
select el;
string x = certificate.First().Value;
X509Certificate2 cert = new X509Certificate2(Encoding.UTF8.GetBytes(x));
AuthXml.CheckSignature(cert, true);
}
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://fakeurl.com" ID="fakeid" IssueInstant="2015-08-27T13:52:37.356Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk4sxs39xvadTNJp0h7</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#fakeid"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>Lkz8MM61fcUPxu4Yil1LPhaR8+BzPztYICIClnuM/UY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>iNW0vkYnbcC6Q7gQZJ1NMeNkcQa72GFCepJyMmql2gfPZ2W6HFc5HKZp91tzvFMTGfAmfOlP9Ew27HMdyph6JhxG3Nq5JqrwWUa0J8f93hPLcR28Qwoj6ZJKX9JNmyp5koi5H9iF1DSYysDr/LcMikP/E0wOscetIQvY5bm7Ul7CemlPOQAx2gsClV4adGdp7rUCKzC+VSyAlUSZuLe/RHhzXyY+ThwQoA833Fg/LVJxcPv1E5kg8wzxfqInU1icgeS4sVRJSzxcC6h7ePldxgoBiaajtoLGSu0+8lQgT3/6arvcpFfA4uvH4LFxmc+2BDThEyKAbSFI7A7MH2Y6Sw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAUsUmy2MMA0GCSqGSIb3DQEBBQUAMIGVMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDWRvbGJ5ZXh0ZXJuYWwxHDAaBgkqhkiG9w0B
CQEWDWluZm9Ab2t0YS5jb20wHhcNMTUwMTIzMDIyMzQ5WhcNNDUwMTIzMDIyNDQ5WjCBlTELMAkG
A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL
BgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRYwFAYDVQQDDA1kb2xieWV4dGVybmFs
MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA3TGQ4MaLiNbB4hhy6l7AAw575BexpbDKC/AvUrPkpZv0tUAzjnEpzo3hEBaw7jK/yIG0
mXdrmOxr/m9NuSLgMlxgjnnQp5DR5aaTJSFVFlNki4Ly32WgJTKcYKiUId+ocoukqAbzmWudumh8
vMNBthyK5tv/2mGi5qNhZQZlLaPUv+dQxc9lqpBUsNBw4oFUPQacfcx2SyfH2+SAicP6H9iqiRmS
+/Ye7eAux3VZv7cl0uQLMtx+MUYv0Y9JbGhSe8VYkt8P9B9tpolvZ4TVgPjdqPqwc8tJLB9JKY7+
nqVEtbMHr1QMD5WZvDFLvYpAGn2VbK8E122in9Sb0aMQawIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
AQAhmBUwef37u3WYZYFPLgeBDq5Uqg1usa4l+RUbtthz3+kqsHD9av8GyaYa32W2GV/yHMJjDZCo
EAykKVN0578Qt6bwfY7Jn4P6fjaA2eyL8lTbxtUOfnSIBXtuJKBwH3TjnUCvOmjkUausvGGpNOyL
GvVHNqhVDavcN6FbCZqWOnkRoCfmQR49hJj5WPkXfDt0j4WLSWmBQHXKxqyG9EDoaxZSwbsfOS5P
cRYWCPgBsgVAMQHfEQUdfK1FNnLHDxWIbLEnYHqwW+n1gtnK89jj5sRjme7fNxrEVGgS5w1rZG4c
8MJMDVlBEo/Zblh9IeMN+dvdsPKiK1M5MtoZstEt</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="fakeid2" IssueInstant="2015-08-27T13:52:37.356Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/issuergoeshere</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#fakeid2"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>R2Qqgf4W6J5xC9mw5hF/kgoB/0Ks9n1WeGZ+DGPDOPI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>kJMgYFflTmKaSd3kCScEvVYKgoHWhelo+YUjxONJUPxvBC66VUj6zL4ikvXml2UMoUA/i/VePot/numcRtRzOFrFUbIfPgAPjGdyYEQFxjd0UkR2LlFMGDI4XvcRDXbiZCh2GloRreue80sS3xm77YEDqeCgpN0mN11vdSxkWJrUBKJzOjsFriQFkWnk5sfT/6Z8zJwyPnxdY5aKYmhjbNsqrrUWBqSE1TgoMs073CLTWRXYlv318Qzs5sVdzh+nU/Rx66RDvobf2CLH7c3ipKybYq1U3lu2f91Xt9RTLAKRIam4iOvXEZesty+vdFPMxYfxZDr6aEDhJM8kO7ww6w==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAUsUmy2MMA0GCSqGSIb3DQEBBQUAMIGVMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDWRvbGJ5ZXh0ZXJuYWwxHDAaBgkqhkiG9w0B
CQEWDWluZm9Ab2t0YS5jb20wHhcNMTUwMTIzMDIyMzQ5WhcNNDUwMTIzMDIyNDQ5WjCBlTELMAkG
A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL
BgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRYwFAYDVQQDDA1kb2xieWV4dGVybmFs
MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA3TGQ4MaLiNbB4hhy6l7AAw575BexpbDKC/AvUrPkpZv0tUAzjnEpzo3hEBaw7jK/yIG0
mXdrmOxr/m9NuSLgMlxgjnnQp5DR5aaTJSFVFlNki4Ly32WgJTKcYKiUId+ocoukqAbzmWudumh8
vMNBthyK5tv/2mGi5qNhZQZlLaPUv+dQxc9lqpBUsNBw4oFUPQacfcx2SyfH2+SAicP6H9iqiRmS
+/Ye7eAux3VZv7cl0uQLMtx+MUYv0Y9JbGhSe8VYkt8P9B9tpolvZ4TVgPjdqPqwc8tJLB9JKY7+
nqVEtbMHr1QMD5WZvDFLvYpAGn2VbK8E122in9Sb0aMQawIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
AQAhmBUwef37u3WYZYFPLgeBDq5Uqg1usa4l+RUbtthz3+kqsHD9av8GyaYa32W2GV/yHMJjDZCo
EAykKVN0578Qt6bwfY7Jn4P6fjaA2eyL8lTbxtUOfnSIBXtuJKBwH3TjnUCvOmjkUausvGGpNOyL
GvVHNqhVDavcN6FbCZqWOnkRoCfmQR49hJj5WPkXfDt0j4WLSWmBQHXKxqyG9EDoaxZSwbsfOS5P
cRYWCPgBsgVAMQHfEQUdfK1FNnLHDxWIbLEnYHqwW+n1gtnK89jj5sRjme7fNxrEVGgS5w1rZG4c
8MJMDVlBEo/Zblh9IeMN+dvdsPKiK1M5MtoZstEt</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2015-08-27T13:57:37.356Z" Recipient="http://fakeurl.com"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2015-08-27T13:47:37.356Z" NotOnOrAfter="2015-08-27T13:57:37.356Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AudienceRestriction><saml2:Audience>http://fakeurl.com/metadata</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2015-08-27T13:52:37.356Z" SessionIndex="id1440683557356.976202148" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
You're forgetting to do step 6.
Could you change this line:
AuthXml.CheckSignature(cert, true);
to
AuthXml.LoadXml((XmlElement)Node);
AuthXml.CheckSignature(cert, true);
The reason why this is important is because it will implicitly set the SignatureMethod property of the AuthXml object. If you were to test the AuthXml.SignatureMethod property as is in your current code you will find it is probably null, which causes the ArgumentNullException/