RE: SignedXML.CheckSignature()/CreateSignature() Alternative?
From: Raj (Raj_at_discussions.microsoft.com)
Date: 09/30/04
- Next message: Dan Guzman: "Re: SQL Injection Prevention"
- Previous message: Shawn Farkas [MS]: "RE: SignedXML.CheckSignature()/CreateSignature() Alternative?"
- In reply to: Shawn Farkas [MS]: "RE: SignedXML.CheckSignature()/CreateSignature() Alternative?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Sep 2004 19:43:02 -0700
Thanks Shawn for your response.
Infact I did read one of your blogs regarding the custom ID Tag which
exactly suggested the same approach..But as you know my other problem is
having the URI as "cid:payLoad" rather than having it as an Empty String or
starting with #!So I cant even write a derived class for the Reference ..
Probably I can create a dummy reference and get the digest values for the
payloads but since I gotta again change the URI to the cid fashion, my
SignatureValue will become invalid..It would have been great if .NET
framework would have allowed URIs starting with cid as well or to have a flag
as part of SignedXML which will make the class not to resolve references and
just give the Signature Value for the SignedInfo.Anyhow based on what I have,
seems like Iam left out with no other option other than to manually implement
the signature Value logic...
Can you please confirm if the below logic used for computing signature value
is correct?
Thanks
Raj
""Shawn Farkas [MS]"" wrote:
> Hi Raj,
>
> Unfortunately, the .NET XML digital signature classes were not designed to
> enable plugging in different protocols. However, if you do not have to
> make your signature stick to a specific schema, (ie, it doesn't have to
> have a pre-defined set of references, and transforms), I can think of two
> possible workarounds.
>
> 1. Instead of using a reference to the data that is to be signed, embed a
> DataObject into the signature containing your MIME data.
> 2. If the data cannot be embeded into the signature, then create a custom
> transform, say MyMineResolverTransform. Then add a dummy reference to your
> signature, and attach this transform to that reference. When the transform
> is invoked, it could resolve the external MIME data and return that as its
> result. The signature engine will sign the hash of the data after its gone
> through all of the transforms, so this will effectively sign your external
> data as well.
>
> -Shawn
> http://blogs.msdn.com/shawnfa
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> Note:
> For the benefit of the community-at-large, all responses to this message
> are best directed to the newsgroup/thread from which they originated.
> --------------------
> > Thread-Topic: SignedXML.CheckSignature()/CreateSignature() Alternative?
> > thread-index: AcSkPjjI+llRzxEgRIeID5RXIhMIcw==
> > X-WBNR-Posting-Host: 65.206.140.229
> > From: =?Utf-8?B?UmFq?= <Raj@discussions.microsoft.com>
> > Subject: SignedXML.CheckSignature()/CreateSignature() Alternative?
> > Date: Sun, 26 Sep 2004 20:01:02 -0700
> > Lines: 39
> > Message-ID: <C3DAFAB2-33AD-43FE-8F99-429CAF368D90@microsoft.com>
> > MIME-Version: 1.0
> > Content-Type: text/plain;
> > charset="Utf-8"
> > Content-Transfer-Encoding: 7bit
> > X-Newsreader: Microsoft CDO for Windows 2000
> > Content-Class: urn:content-classes:message
> > Importance: normal
> > Priority: normal
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> > Newsgroups: microsoft.public.dotnet.security
> > NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
> > Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> > Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.security:7497
> > X-Tomcat-NG: microsoft.public.dotnet.security
> >
> > Hi,
> > Iam using SignedXML.CheckSignature() method for validating XMLDSIG
> > SignedInfo signature value. It works great until u have a reference which
> > cant be resolved. My requirement is to sign an MIME attachment which cant
> be
> > directly resolved by SignedInfo class..So Iam trying to manually
> implement
> > the computesignature part and checksignature part using the following code
> >
> > For ComputeSignature implementation, Iam using as below
> >
> > SHA1Managed sha1 = new SHA1Managed();
> > byte [] HashValue =
> > sha1.ComputeHash(Encoding.Default.GetBytes(signinfo));
> > RSAPKCS1SignatureFormatter RSAFormatter = new
> > RSAPKCS1SignatureFormatter(Key);
> > RSAFormatter.SetHashAlgorithm("SHA1");
> > byte [] SigValue = RSAFormatter.CreateSignature(HashValue);
> >
> > For Checksignature implementation, Iam using
> > byte [] SignedHash =
> > Encoding.Default.GetBytes(SignatureValue.InnerText);
> > RSAPKCS1SignatureDeformatter RSADeformatter = new
> > RSAPKCS1SignatureDeformatter(RSA);
> > RSADeformatter.SetHashAlgorithm("SHA1");
> > RSADeformatter.VerifySignature(HashValue, SignedHash)
> >
> > But when I create a simple XML with no reference and get the
> SignatureValue
> > using the SignedXML.CreateSignature() and validate using the manual
> > implementation of CheckSignature as stated above, the VerifySignature
> returns
> > false!
> > So I doubt whether Iam implementing the workaround for SignedXML
> > (Create/CheckSignature) correctly?please do let me know
> >
> > Or if there is a way of computing signature without resolving reference
> data
> > objects with having reference element,please do let me know.I can
> manually
> > compute the digest value of the reference element.
> >
> > Any help would be appreciated
> > Thanks
> > Raj
> >
>
>
- Next message: Dan Guzman: "Re: SQL Injection Prevention"
- Previous message: Shawn Farkas [MS]: "RE: SignedXML.CheckSignature()/CreateSignature() Alternative?"
- In reply to: Shawn Farkas [MS]: "RE: SignedXML.CheckSignature()/CreateSignature() Alternative?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
