Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

After you apply security update 3141780, .NET Framework applications encounter exception errors or unexpected failures while processing files that contain SignedXml


View products that this article applies to.

Summary

After you install any of the 3141780 security updates (described in Microsoft security bulletin MS16-035), .NET Framework applications may encounter exception errors or unexpected failures when they are processing files that contain SignedXml.

↑ Back to the top


More Information

ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

Scenario 1

Scenario 1 symptoms

Managed applications return an error exception that has the following signature:

System.Security.Cryptography.CryptographicException: Unable to resolve Uri [FileOrUrl].


Example

System.Security.Cryptography.CryptographicException: Unable to resolve Uri testfile.xml.



Scenario 1 resolution

Customers can apply the following registry key to their system:

Registry entry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security@SignedXmlAllowDetachedSignature=1


.Reg file available for download

To resolve this problem, click the appropriate link, and then double-click the downloaded file to make the registry changes.

SignedXml-ExternalReferences.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system)

SignedXml-ExternalReferences.Wow6432.reg (32-bit process on 64-bit system)


Notes
  • This registry entry should be a DWORD entry.
  • This registry entry restores the previous behavior of opening or downloading a resource that is external to the document being verified to compute its digest.
Warning Enabling this registry key could allow security vulnerabilities including Denial of Service, Distributed Reflection Denial of Service, Information Disclosure, Signature Bypass, and Remote Code Execution.

Scenario 2

Scenario 2 symptoms

Signature verification fails when success was expected.



Scenario 2 resolution

If the content contains the following signature block, consider applying the provided registry entry:

Signature block example

<Document>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="...">
<Transforms>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>…</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>…</SignatureValue>
</Signature>


</Document>


Registry entry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\SafeTransformMethods@XmlDsigXPathTransform=http://www.w3.org/TR/1999/REC-xpath-19991116


.Reg file available for download

To resolve this problem, click the appropriate link, and then double-click the downloaded file to make the registry changes.

XmlDSigXPathTransform.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system)


XmlDSigXPathTransform.Wow6432.reg (32-bit process on 64-bit system)

If the signature block contains the following text, consider applying the provided registry entry:

Signature block example

<Document>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="...">
<Transforms>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>…</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>…</SignatureValue>
</Signature>

</Document>


Registry entry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\SafeTransformMethods@XmlDsigXsltTransform=http://www.w3.org/TR/1999/REC-xslt-19991116

.Reg file available for download

To resolve this problem, click the appropriate link, and then double-click the downloaded file to make the registry changes.

XmlDSigXsltTransform.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system)

XmlDSigXsltTransform.Wow6432.reg (32-bit process on 64-bit system)

Note By default, only those XML Signature Transforms that are provided by the .NET Framework and do not accept input from the signed document are enabled. To enable input-accepting transforms or custom transforms, the registered URI for that transform must be specified as the data of a REG_SZ-typed value within this registry key. The name of the value is not processed, and it can be anything that the computer administrator chooses.

Warning The XPath and XSLT transforms allow the document sender to construct documents that are computationally expensive. This could cause a Denial of Service situation.

↑ Back to the top


Keywords: kbregistry, kbsurveynew, kbsecvulnerability, kbsecurity, kbsecreview, kbmustloc, kb, kblangall, kbexpertiseinter, kbbug, kbsecbulletin

↑ Back to the top

Article Info
Article ID : 3148821
Revision : 1
Created on : 1/7/2017
Published on : 3/16/2016
Exists online : False
Views : 534