Using modern hash algorithms in dotnet XML signatures (for SAML)

Update: On August 2, 2016, Microsoft released version 4.6.2 of the .NET framework. It handles the new algorithms natively.

Microsoft’s .NET framework comes with built in support for the rsa-sha1 digital signature hashing algorithm. As of early 2016 that algorithm is deprecated, however. It has become too easy to crack.  SAML Identity Providers like PingIdentity.com and OneLogin.com are starting to offer cryptographic signatures using newer hashing algorithms, like rsa-sha256, rsa-sha384, and rsa-sha512.

Some configuration of the .NET framework is required to enable these newer algorithms to work with Microsoft’s digital signature verification.  Here is how to do that.

First, you need to add these three classes to your code someplace convenient.

Second, you need to run this code to activate the signature algorithms so Microsoft’s SignedXml class can use them. It only needs to run once, so you can run it from a static constructor if that’s convenient.

Tip o’ the hat to Microsoft’s Carlos Lopez and BitSchupster and Andrew on StackOverflow.

Leave a Comment