asp.net security: XPath Filter 2.0 Support? (XML Digital Signatures) -- asp.net security

XPath Filter 2.0 Support? (XML Digital Signatures)

Tim Davis
9/26/2007 2:52:44 PM

asp.net security: Hello all,

I am working with Adobe LiveCycle Designer 8.1 to create forms that the user
will sign with their X.509 Certificate and submit electronically to a
generic .NET HTTP handler (ASHX). I have done some work in both creating and
verifying digital signatures, but I have run into an issue that I'm hoping
someone else has seen. Adobe's XML Digital Signatures seem to use the
XML-Signature XPath Filter 2.0
(http://www.w3.org/TR/2002/PR-xmldsig-filter2-20020827/Overview.html), but
there doesn't seem to be a corresponding .NET Framework class to support
this transform, and the SignedXml.LoadXml() call fails when I try to specify
an XML element containing a Transform with the Algorithm ID
"http://www.w3.org/2002/06/xmldsig-filter2".

Does anyone know where I can get a class that will support this
transformation, such that I can check Adobe-generated XML Digital
Signatures? It's also fine if someone knows a way to instruct Adobe not to
use this Transform when creating the Signature. Least desirable but also a
last-resort option is for someone to provide guidance on "rolling my own"
such Transform.

TIA,

Tim

Here's what I'm getting:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="datasignature_1">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#iddb88862c-6627-11dc-8d00-000c6e541685"
Type="http://www.w3.org/2000/09/xmldsig#SignatureProperties">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>CP/cXdv2OcTnq7bKaWOgOSR9N8g=</DigestValue>
</Reference>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
Filter="intersect">here()/ancestor::dsig:Signature[1]/../../form1[1]//. |
here()/ancestor::dsig:Signature[1]/../../form1[1]//@* |
here()/ancestor::dsig:Signature[1]/../../form1[1]//namespace::*</XPath>
</Transform>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>IIiJsLFvk2HvWO+roUQwC0P/ODw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
..
..
..

Re: XPath Filter 2.0 Support? (XML Digital Signatures)

clintonG
9/29/2007 10:52:18 PM

I'm in the same boat Tim trying to get working on a fillable forms project.
I'm still in the "where's our proposal" stage and no previous experience in
this niché trying to figure out what to do without any requirements to speak
of. After three weeks in and I finally learn I'm expected to work with
digitized signature capture using a SignatureGem LCD 1x5 signature pad
integrated using Topaz [1] that is supposed to result in a digital signature
when using Acrobat Reader as the fillable forms client.

I wish there were something I could add to bring insight to your dilemma but
I'm still several steps behind and hope you let us know what if anything
you've figured out.

<%= Clinton Gallagher

[1] http://www.topazsystems.com/

[quoted text, click to view]