Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. SignedXml does not properly handle xml namespace attributes

SignedXml does not properly handle xml namespace attributes

Symptoms

An xml signature such as the one below cannot be verified by the SignedXml class.

<tns:CertificateStatusResponse xmlns="" xmlns:dpfunc="http://www.datapower.com/extensions/functions" xml:id="response">
<tns:ReturnCode>00</tns:ReturnCode>
<tns:ReturnText>OK</tns:ReturnText>
<tns:CertificateStatus>
  <tns:CertificateSerialNo>3419000000001401</tns:CertificateSerialNo>
  <tns:CertificateType>signing</tns:CertificateType>
  <tns:MatchingCertificateSerialNo>3419000000001402</tns:MatchingCertificateSerialNo>
  <tns:Status><tns:revoked revocationDate="2011-01-21T10:12:04Z" CRLReason="1"/></tns:Status>
</tns:CertificateStatus>
<tns:Timestamp>2011-02-02T14:53:47Z</tns:Timestamp>
<tns:RequestId>hls=</tns:RequestId>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <Reference URI="#response">
    <Transforms>
      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>4hTmTRbInGChuyeqoRs06Tug30s=</DigestValue>
  </Reference>
</SignedInfo>
<SignatureValue>jHG4+lRvqs1g8ZRLCdND7lT7qFQr6YnzQ...</SignatureValue>
<KeyInfo>
 <X509Data>
   <X509Certificate>MIIEADCCAuigAwIBAgIFAMa3vBEwDQYJKoZIhvcNAQELB...</X509Certificate>
  </X509Data>
</KeyInfo>
</Signature>
</tns:CertificateStatusResponse>

↑ Back to the top

Cause

When SignedXml.CheckSignature() attempts to verify the signature it canonicalizes the SignedInfo node and incorrectly inherits xml namespace attributes. In this case xml:id is inherited down to SignedInfo which should not happen and invalidates the signature.

↑ Back to the top

Resolution

In .NET 4.0, this can be remedied by registering a custom transform for the canonicalization algorithm. The custom transform delegates to the built-in Exc14N transform, and strips out the xml namespace attribute.

The custom transform class is very short and straight forward.
public class  MyXmlDsigExcC14NTransform : XmlDsigExcC14NTransform
{
   public MyXmlDsigExcC14NTransform() {}

   public override  void LoadInput(Object obj)
   {           
      XmlElement root = ((XmlDocument)obj).DocumentElement;
      if (root.Name == "SignedInfo") root.RemoveAttribute("xml:id");           
      base.LoadInput(obj);                     
   }
}

At the beginning of your application MyXmlDsigExcC14NTransform can be registered with the following call:
CryptoConfig.AddAlgorithm(typeof(MyXmlDsigExcC14NTransform), "http://www.w3.org/2001/10/xml-exc-c14n#");

When SignedXml.CheckSignature() is called, MyXmlDsigExcC14NTransform is called to perform the canonicalization which strips out the xml:id attribute.

↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2639079
Revision : 1
Created on : 1/7/2017
Published on : 11/8/2011
Exists online : False
Views : 114