| Groups | Blog | Home |
dotnet security : SignedXML.CheckSignature()/CreateSignature() Alternative?
Iam using SignedXML.CheckSignature() method for validating XMLDSIG SignedInfo signature value. It works great until u have a reference which cant be resolved. My requirement is to sign an MIME attachment which cant be directly resolved by SignedInfo class..So Iam trying to manually implement the computesignature part and checksignature part using the following code For ComputeSignature implementation, Iam using as below SHA1Managed sha1 = new SHA1Managed(); byte [] HashValue = sha1.ComputeHash(Encoding.Default.GetBytes(signinfo)); RSAPKCS1SignatureFormatter RSAFormatter = new RSAPKCS1SignatureFormatter(Key); RSAFormatter.SetHashAlgorithm("SHA1"); byte [] SigValue = RSAFormatter.CreateSignature(HashValue); For Checksignature implementation, Iam using byte [] SignedHash = Encoding.Default.GetBytes(SignatureValue.InnerText); RSAPKCS1SignatureDeformatter RSADeformatter = new RSAPKCS1SignatureDeformatter(RSA); RSADeformatter.SetHashAlgorithm("SHA1"); RSADeformatter.VerifySignature(HashValue, SignedHash) But when I create a simple XML with no reference and get the SignatureValue using the SignedXML.CreateSignature() and validate using the manual implementation of CheckSignature as stated above, the VerifySignature returns false! So I doubt whether Iam implementing the workaround for SignedXML (Create/CheckSignature) correctly?please do let me know Or if there is a way of computing signature without resolving reference data objects with having reference element,please do let me know.I can manually compute the digest value of the reference element. Any help would be appreciated Thanks
Thanks Shawn for your response.
Infact I did read one of your blogs regarding the custom ID Tag which exactly suggested the same approach..But as you know my other problem is having the URI as "cid:payLoad" rather than having it as an Empty String or starting with #!So I cant even write a derived class for the Reference .. Probably I can create a dummy reference and get the digest values for the payloads but since I gotta again change the URI to the cid fashion, my SignatureValue will become invalid..It would have been great if .NET framework would have allowed URIs starting with cid as well or to have a flag as part of SignedXML which will make the class not to resolve references and just give the Signature Value for the SignedInfo.Anyhow based on what I have, seems like Iam left out with no other option other than to manually implement the signature Value logic... Can you please confirm if the below logic used for computing signature value is correct? Thanks Raj [quoted text, click to view] ""Shawn Farkas [MS]"" wrote:
> Hi Raj, > > Unfortunately, the .NET XML digital signature classes were not designed to > enable plugging in different protocols. However, if you do not have to > make your signature stick to a specific schema, (ie, it doesn't have to > have a pre-defined set of references, and transforms), I can think of two > possible workarounds. > > 1. Instead of using a reference to the data that is to be signed, embed a > DataObject into the signature containing your MIME data. > 2. If the data cannot be embeded into the signature, then create a custom > transform, say MyMineResolverTransform. Then add a dummy reference to your > signature, and attach this transform to that reference. When the transform > is invoked, it could resolve the external MIME data and return that as its > result. The signature engine will sign the hash of the data after its gone > through all of the transforms, so this will effectively sign your external > data as well. > > -Shawn > http://blogs.msdn.com/shawnfa > -- > This posting is provided "AS IS" with no warranties, and confers no rights. > > > Note: > For the benefit of the community-at-large, all responses to this message > are best directed to the newsgroup/thread from which they originated. > -------------------- > > Thread-Topic: SignedXML.CheckSignature()/CreateSignature() Alternative? > > thread-index: AcSkPjjI+llRzxEgRIeID5RXIhMIcw== > > X-WBNR-Posting-Host: 65.206.140.229 > > From: =?Utf-8?B?UmFq?= <Raj@discussions.microsoft.com> > > Subject: SignedXML.CheckSignature()/CreateSignature() Alternative? > > Date: Sun, 26 Sep 2004 20:01:02 -0700 > > Lines: 39 > > Message-ID: <C3DAFAB2-33AD-43FE-8F99-429CAF368D90@microsoft.com> > > MIME-Version: 1.0 > > Content-Type: text/plain; > > charset="Utf-8" > > Content-Transfer-Encoding: 7bit > > X-Newsreader: Microsoft CDO for Windows 2000 > > Content-Class: urn:content-classes:message > > Importance: normal > > Priority: normal > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 > > Newsgroups: microsoft.public.dotnet.security > > NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29 > > Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl > > Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.security:7497 > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > Hi, > > Iam using SignedXML.CheckSignature() method for validating XMLDSIG > > SignedInfo signature value. It works great until u have a reference which > > cant be resolved. My requirement is to sign an MIME attachment which cant > be > > directly resolved by SignedInfo class..So Iam trying to manually > implement > > the computesignature part and checksignature part using the following code > > > > For ComputeSignature implementation, Iam using as below > > > > SHA1Managed sha1 = new SHA1Managed(); > > byte [] HashValue = > > sha1.ComputeHash(Encoding.Default.GetBytes(signinfo)); > > RSAPKCS1SignatureFormatter RSAFormatter = new > > RSAPKCS1SignatureFormatter(Key); > > RSAFormatter.SetHashAlgorithm("SHA1"); > > byte [] SigValue = RSAFormatter.CreateSignature(HashValue); > > > > For Checksignature implementation, Iam using > > byte [] SignedHash = > > Encoding.Default.GetBytes(SignatureValue.InnerText); > > RSAPKCS1SignatureDeformatter RSADeformatter = new > > RSAPKCS1SignatureDeformatter(RSA); > > RSADeformatter.SetHashAlgorithm("SHA1"); > > RSADeformatter.VerifySignature(HashValue, SignedHash) > > > > But when I create a simple XML with no reference and get the > SignatureValue > > using the SignedXML.CreateSignature() and validate using the manual > > implementation of CheckSignature as stated above, the VerifySignature > returns > > false! > > So I doubt whether Iam implementing the workaround for SignedXML > > (Create/CheckSignature) correctly?please do let me know > > > > Or if there is a way of computing signature without resolving reference > data > > objects with having reference element,please do let me know.I can > manually > > compute the digest value of the reference element. > > > > Any help would be appreciated > > Thanks > > Raj > > >
Hi Raj,
Unfortunately, the .NET XML digital signature classes were not designed to enable plugging in different protocols. However, if you do not have to make your signature stick to a specific schema, (ie, it doesn't have to have a pre-defined set of references, and transforms), I can think of two possible workarounds. 1. Instead of using a reference to the data that is to be signed, embed a DataObject into the signature containing your MIME data. 2. If the data cannot be embeded into the signature, then create a custom transform, say MyMineResolverTransform. Then add a dummy reference to your signature, and attach this transform to that reference. When the transform is invoked, it could resolve the external MIME data and return that as its result. The signature engine will sign the hash of the data after its gone through all of the transforms, so this will effectively sign your external data as well. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- [quoted text, click to view] > Thread-Topic: SignedXML.CheckSignature()/CreateSignature() Alternative?
> thread-index: AcSkPjjI+llRzxEgRIeID5RXIhMIcw== > X-WBNR-Posting-Host: 65.206.140.229 > From: =?Utf-8?B?UmFq?= <Raj@discussions.microsoft.com> > Subject: SignedXML.CheckSignature()/CreateSignature() Alternative? > Date: Sun, 26 Sep 2004 20:01:02 -0700 > Lines: 39 > Message-ID: <C3DAFAB2-33AD-43FE-8F99-429CAF368D90@microsoft.com> > MIME-Version: 1.0 > Content-Type: text/plain; > charset="Utf-8" > Content-Transfer-Encoding: 7bit > X-Newsreader: Microsoft CDO for Windows 2000 > Content-Class: urn:content-classes:message > Importance: normal > Priority: normal > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 > Newsgroups: microsoft.public.dotnet.security > NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29 > Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl > Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.security:7497 > X-Tomcat-NG: microsoft.public.dotnet.security > > Hi, > Iam using SignedXML.CheckSignature() method for validating XMLDSIG > SignedInfo signature value. It works great until u have a reference which > cant be resolved. My requirement is to sign an MIME attachment which cant be > directly resolved by SignedInfo class..So Iam trying to manually implement > the computesignature part and checksignature part using the following code > > For ComputeSignature implementation, Iam using as below > > SHA1Managed sha1 = new SHA1Managed(); > byte [] HashValue = > sha1.ComputeHash(Encoding.Default.GetBytes(signinfo)); > RSAPKCS1SignatureFormatter RSAFormatter = new > RSAPKCS1SignatureFormatter(Key); > RSAFormatter.SetHashAlgorithm("SHA1"); > byte [] SigValue = RSAFormatter.CreateSignature(HashValue); > > For Checksignature implementation, Iam using > byte [] SignedHash = > Encoding.Default.GetBytes(SignatureValue.InnerText); > RSAPKCS1SignatureDeformatter RSADeformatter = new > RSAPKCS1SignatureDeformatter(RSA); > RSADeformatter.SetHashAlgorithm("SHA1"); > RSADeformatter.VerifySignature(HashValue, SignedHash) > > But when I create a simple XML with no reference and get the SignatureValue > using the SignedXML.CreateSignature() and validate using the manual > implementation of CheckSignature as stated above, the VerifySignature returns > false! > So I doubt whether Iam implementing the workaround for SignedXML > (Create/CheckSignature) correctly?please do let me know > > Or if there is a way of computing signature without resolving reference data > objects with having reference element,please do let me know.I can manually > compute the digest value of the reference element. > > Any help would be appreciated > Thanks > Raj >
Right, if you're using a custom URI format, you won't be able to simply
subclass Reference ... the CLR's implementation of XML signatures doesn't allow for pluggable URI formats. Writing your own ComputeSignature method is very difficult, there are many issues involved such as propigating namespaces, cannonicalization, correctly invoking transform chains, etc. Unfortunately, right now, there's really no good way to do what you're attempting in managed code. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- [quoted text, click to view] > Thread-Topic: SignedXML.CheckSignature()/CreateSignature() Alternative?
> thread-index: AcSmlzS4mzlKFANwTuWC6e27/KFSMw== > X-WBNR-Posting-Host: 65.206.140.228 > From: =?Utf-8?B?UmFq?= <Raj@discussions.microsoft.com> > References: <C3DAFAB2-33AD-43FE-8F99-429CAF368D90@microsoft.com> <uaVUYynpEHA.2640@cpmsftngxa06.phx.gbl> > Subject: RE: SignedXML.CheckSignature()/CreateSignature() Alternative? > Date: Wed, 29 Sep 2004 19:43:02 -0700 > Lines: 121 > Message-ID: <E7161028-66CD-4506-807A-4B47D84130C3@microsoft.com> > MIME-Version: 1.0 > Content-Type: text/plain; > charset="Utf-8" > Content-Transfer-Encoding: 7bit > X-Newsreader: Microsoft CDO for Windows 2000 > Content-Class: urn:content-classes:message > Importance: normal > Priority: normal > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 > Newsgroups: microsoft.public.dotnet.security > NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29 > Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA03.phx.gbl > Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.security:7579 > X-Tomcat-NG: microsoft.public.dotnet.security > > Thanks Shawn for your response. > Infact I did read one of your blogs regarding the custom ID Tag which > exactly suggested the same approach..But as you know my other problem is > having the URI as "cid:payLoad" rather than having it as an Empty String or > starting with #!So I cant even write a derived class for the Reference .. > Probably I can create a dummy reference and get the digest values for the > payloads but since I gotta again change the URI to the cid fashion, my > SignatureValue will become invalid..It would have been great if .NET > framework would have allowed URIs starting with cid as well or to have a flag > as part of SignedXML which will make the class not to resolve references and > just give the Signature Value for the SignedInfo.Anyhow based on what I have, > seems like Iam left out with no other option other than to manually implement > the signature Value logic... > Can you please confirm if the below logic used for computing signature value > is correct? > Thanks > Raj > > > > ""Shawn Farkas [MS]"" wrote: > > > Hi Raj, > > > > Unfortunately, the .NET XML digital signature classes were not designed to > > enable plugging in different protocols. However, if you do not have to > > make your signature stick to a specific schema, (ie, it doesn't have to > > have a pre-defined set of references, and transforms), I can think of two > > possible workarounds. > > > > 1. Instead of using a reference to the data that is to be signed, embed a > > DataObject into the signature containing your MIME data. > > 2. If the data cannot be embeded into the signature, then create a custom > > transform, say MyMineResolverTransform. Then add a dummy reference to your > > signature, and attach this transform to that reference. When the transform > > is invoked, it could resolve the external MIME data and return that as its > > result. The signature engine will sign the hash of the data after its gone > > through all of the transforms, so this will effectively sign your external > > data as well. > > > > -Shawn > > http://blogs.msdn.com/shawnfa > > -- > > This posting is provided "AS IS" with no warranties, and confers no rights. > > > > > > Note: > > For the benefit of the community-at-large, all responses to this message > > are best directed to the newsgroup/thread from which they originated. > > -------------------- > > > Thread-Topic: SignedXML.CheckSignature()/CreateSignature() Alternative? > > > thread-index: AcSkPjjI+llRzxEgRIeID5RXIhMIcw== > > > X-WBNR-Posting-Host: 65.206.140.229 > > > From: =?Utf-8?B?UmFq?= <Raj@discussions.microsoft.com> > > > Subject: SignedXML.CheckSignature()/CreateSignature() Alternative? > > > Date: Sun, 26 Sep 2004 20:01:02 -0700 > > > Lines: 39 > > > Message-ID: <C3DAFAB2-33AD-43FE-8F99-429CAF368D90@microsoft.com> > > > MIME-Version: 1.0 > > > Content-Type: text/plain; > > > charset="Utf-8" > > > Content-Transfer-Encoding: 7bit > > > X-Newsreader: Microsoft CDO for Windows 2000 > > > Content-Class: urn:content-classes:message > > > Importance: normal > > > Priority: normal > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 > > > Newsgroups: microsoft.public.dotnet.security > > > NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29 > > > Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl > > > Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.security:7497 > > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > > > Hi, > > > Iam using SignedXML.CheckSignature() method for validating XMLDSIG > > > SignedInfo signature value. It works great until u have a reference which > > > cant be resolved. My requirement is to sign an MIME attachment which cant > > be > > > directly resolved by SignedInfo class..So Iam trying to manually > > implement > > > the computesignature part and checksignature part using the following code > > > > > > For ComputeSignature implementation, Iam using as below > > > > > > SHA1Managed sha1 = new SHA1Managed(); > > > byte [] HashValue = > > > sha1.ComputeHash(Encoding.Default.GetBytes(signinfo)); > > > RSAPKCS1SignatureFormatter RSAFormatter = new > > > RSAPKCS1SignatureFormatter(Key); > > > RSAFormatter.SetHashAlgorithm("SHA1"); > > > byte [] SigValue = RSAFormatter.CreateSignature(HashValue); > > > > > > For Checksignature implementation, Iam using > > > byte [] SignedHash = > > > Encoding.Default.GetBytes(SignatureValue.InnerText); > > > RSAPKCS1SignatureDeformatter RSADeformatter = new > > > RSAPKCS1SignatureDeformatter(RSA); > > > RSADeformatter.SetHashAlgorithm("SHA1"); > > > RSADeformatter.VerifySignature(HashValue, SignedHash) > > > > > > But when I create a simple XML with no reference and get the > > SignatureValue > > > using the SignedXML.CreateSignature() and validate using the manual
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |