[quoted text, click to view] On May 8, 8:43 am, JShak <J...@discussions.microsoft.com> wrote:
> Hi,
>
> I use the following function to validate a signed xml document with an
> attached X509 cert. The XML validates in .NET 2.0 but not in 1.1. Any ideas??
>
> Thanks..
>
> public void VerifyXmlSignature(String signedFilename)
> {
> //load signed XML document
> XmlDocument xmlDoc = new XmlDocument();
> xmlDoc.PreserveWhitespace = true;
> xmlDoc.Load(signedFilename);
>
> //create signature wrapper from signed XML file
> SignedXml signedXml = new SignedXml(xmlDoc);
>
> //get <Signature> node (assume only one exists
> XmlNodeList nodeList = xmlDoc.GetElementsByTagName("Signature",
> "
http://www.w3.org/2000/09/xmldsig#");
> signedXml.LoadXml((XmlElement)nodeList[0]);
>
> // Report to user on results of signature validation
>
> if (signedXml.CheckSignature())
> {
> Debug.WriteLine("Signature is VALID");
> }
> else
> Debug.WriteLine("Signature is NOT VALID");
> }
unfortunately there seems to be some incompatibilty problems in
implementation of explicit cannonical serialization between versions
of framework (and they both seems to have some compatibilty problems
with the standard, which leaves quite a few places to be
missinterpretted and imlemented in incompatible way).
I can't say what could be the problem for sure, but you can check if:
a. if you have processing instructions and/or comments in your
document.
b. if you have nonsignificant spaces in your document.
You can try to remove things from your XML and see when it starts
validating in both versions of framework and many would appreciate if
you post your findings here.
<rant>
The standard spec of explicit cannonical XML sucks (to say at least)
and have many places that asks for implementation incompatibilites.
For example, in one place the spec states that all significant and
insignificant whitespaces must be preserved! and just a few pages
later it says that serialization of XPath selection must normalize
nonsignificant whitespaces! Since XML Signature heavily relies on
XPath references, you can treat this statement as if you should always
normalize nonsignificant whitespaces of document fragments being
signed, however from the other side, use of "must preserve all spaces
significant or not" is a first thing you see in spec and its not clear
how it should apply to XML signatures. Therefore, I know that many
implementation (ex. java XML security and apache XML security) are
preserving all white spaces. Microsoft implementation of explicit
cannonical serialization always normalizes whitespaces. Which one is
right?...
XML Signature and Encryption standarda are also quite a big mess and a
good example of how not to write standards! Again the same vague
wording that could be understood whatever way you want and
additionally some explicut mistakes related to using of related
technologies. For the last, take for example weak padding mode that
was introduced in XML encryption standard. Even so this padding mode
introduces no problem for XML security (due to a lot of redundancy in
XML), however it could lead to serious security failure if it is used
in different context (with less redundancy in data). And its know that
people tends to copy design from the standards to all possible
unrelated fields!
so, if anyone ask my opinion - don't use XML security specs if you
really need security. Too many places to do mistakes and too many
possibilities for incompatible imlementations that all follow the
standard.
</rant>
-Valery
