ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Scenario 1
Scenario 1 symptoms
Managed applications return an error exception that has the following signature:
System.Security.Cryptography.CryptographicException: Unable to resolve Uri [FileOrUrl].
ExampleSystem.Security.Cryptography.CryptographicException: Unable to resolve Uri testfile.xml.
Scenario 1 resolution
Customers can apply the following registry key to their system:
Registry entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security@SignedXmlAllowDetachedSignature=1
.Reg file available for download
To resolve this problem, click the appropriate link, and then double-click the downloaded file to make the registry changes.
SignedXml-ExternalReferences.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system)
SignedXml-ExternalReferences.Wow6432.reg (32-bit process on 64-bit system)
Notes - This registry entry should be a DWORD entry.
- This registry entry restores the previous behavior of opening or downloading a resource that is external to the document being verified to compute its digest.
Warning Enabling this registry key could allow security vulnerabilities including Denial of Service, Distributed Reflection Denial of Service, Information Disclosure, Signature Bypass, and Remote Code Execution.
Scenario 2
Scenario 2 symptoms
Signature verification fails when success was expected.
Scenario 2 resolution
If the content contains the following signature block, consider applying the provided registry entry:
Signature block example<Document>
…
</Document>
Registry entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\SafeTransformMethods@XmlDsigXPathTransform=http://www.w3.org/TR/1999/REC-xpath-19991116
.Reg file available for download
To resolve this problem, click the appropriate link, and then double-click the downloaded file to make the registry changes.
XmlDSigXPathTransform.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system)
XmlDSigXPathTransform.Wow6432.reg (32-bit process on 64-bit system)
If the signature block contains the following text, consider applying the provided registry entry:
Signature block example<Document>
…
</Document>
Registry entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\SafeTransformMethods@XmlDsigXsltTransform=http://www.w3.org/TR/1999/REC-xslt-19991116
.Reg file available for download
To resolve this problem, click the appropriate link, and then double-click the downloaded file to make the registry changes.
XmlDSigXsltTransform.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system)
XmlDSigXsltTransform.Wow6432.reg (32-bit process on 64-bit system)
Note By default, only those XML Signature Transforms that are provided by the .NET Framework and do not accept input from the signed document are enabled. To enable input-accepting transforms or custom transforms, the registered URI for that transform must be specified as the data of a REG_SZ-typed value within this registry key. The name of the value is not processed, and it can be anything that the computer administrator chooses.
Warning The XPath and XSLT transforms allow the document sender to construct documents that are computationally expensive. This could cause a Denial of Service situation.