Manually computing sha1 digest of reference containing base64 encoded string and comparing it to digest value of same reference generated by SignedXML.ComputeSignature - Does not match
- From: sachinvyas@xxxxxxxxx
- Date: Tue, 21 Aug 2007 19:37:00 -0000
I have an XML which I am trying to sign and provide it to one of my
users.
The XML has two nodes one which has public part which is not encrypted
and other which is private data. The data in private node has data
encrypted using users public key for transfering confidential
information ( base64string with line breaks after 76 chars -
InsertLineBreaks format option)
When I sign the XML I create add references, one for public node and
other for user data to SignedXML.
_x509SignerCert =
GetCertificateFromStore(_SignerCertLocation, _SignerCertSubject);
if (_x509SignerCert == null)
return;
SignedXml sig = new SignedXml(_xmlDocToSign);
XmlNamespaceManager nsm = new XmlNamespaceManager(new
NameTable());
nsm.AddNamespace("dsig", SignedXml.XmlDsigNamespaceUrl);
sig.SignedInfo.CanonicalizationMethod = "http://www.w3.org/
TR/2001/REC-xml-c14n-20010315#WithComments";
sig.SignedInfo.SignatureMethod = "http://www.w3.org/
2000/09/xmldsig#rsa-sha1";
sig.SigningKey = _x509SignerCert.PrivateKey;
Reference docRef = new Reference("#ID_MyPublicNode");
sig.AddReference(docRef);
Reference docRef1 = new Reference("#ID_MyUserData");
sig.AddReference(docRef1);
KeyInfo ki = new KeyInfo();
X509Chain ch = new X509Chain();
ch.Build(_x509SignerCert);
foreach (X509ChainElement element in ch.ChainElements)
{
KeyInfoX509Data _X509Data_ = new
KeyInfoX509Data(element.Certificate);
string Issuer = element.Certificate.Issuer;
_X509Data_.AddIssuerSerial(Issuer,
element.Certificate.GetSerialNumberString());
ki.AddClause(_X509Data_);
}
sig.KeyInfo = ki;
sig.ComputeSignature();
Once I compute the signature I append the signature node to XMLDoc and
send it to the User.
Issue is user says that the digest information of the referenced data
in signature does not match so I started analyzing XML.
I started generating the Digest for individual node ( MyPublicNode and
MyUserData) using the following code. The digest value generated for
MyPublicNode matches with the value in reference item in signature but
does not match for the MyUserData. What I have found is if I remove
the newline from my base64 string in ciphervalue ( stop using
Base64FormattingOptions.InsertLineBreaks) then I am bale to match the
digest value but if the newline is there then I am not sure how
computeSignature generates the digest for MyUserData node.
private bool ValidateXMLReferenceDigest(String _XMLFile)
{
bool bCompare = false;
XmlDocument _SourceXML = new XmlDocument();
_SourceXML.PreserveWhitespace = true;
try
{
X509Certificate2 _X509SignersMainCert = null;
_SourceXML.Load(_XMLFile);
XmlNodeList _nodeList =
_SourceXML.GetElementsByTagName("Signature", "http://www.w3.org/
2000/09/xmldsig#");
if (_nodeList.Count > 0)
{
System.Xml.XmlNamespaceManager _xmlNameSpaceMgr =
new XmlNamespaceManager(_SourceXML.NameTable);
_xmlNameSpaceMgr.AddNamespace("DC",
_SourceXML.DocumentElement.NamespaceURI);
_xmlNameSpaceMgr.AddNamespace("ds", "http://
www.w3.org/2000/09/xmldsig#");
//Get the Signers Cert from the XML and build the
chain.
// First Cert in the certlist is the signers cert.
XmlNodeList _X509List = _SourceXML.SelectNodes(".//
ds:Signature/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
_xmlNameSpaceMgr);
X509Chain _Chain = new X509Chain(true);
int i = 0;
foreach (XmlNode _X509Cert in _X509List)
{
byte[] CertRawData =
System.Convert.FromBase64String(_X509Cert.InnerText);
if (i == 0)
{
_X509SignersMainCert = new
X509Certificate2(CertRawData);
i++;
}
else
{
_Chain.ChainPolicy.ExtraStore.Add(new
X509Certificate2(CertRawData));
}
}
_Chain.Build(_X509SignersMainCert);
SignedXml sigTest = new SignedXml(_SourceXML);
sigTest.LoadXml((XmlElement)_nodeList[0]);
sigTest.SigningKey =
(RSACryptoServiceProvider)_X509SignersMainCert.PublicKey.Key;
//Get Refrences in the signature
foreach (Reference docRef1_temp in
sigTest.SignedInfo.References)
{
string _InXmlVal1 = string.Format(@".//
*[@Id='{0}']", docRef1_temp.Uri.Substring(1));
XmlNodeList _X509List11 =
_SourceXML.SelectNodes(_InXmlVal1, _xmlNameSpaceMgr);
if (_X509List11.Count > 0)
{
//Load the node in XMLDoc
XmlDocument _Doc11 = new
XmlDocument();
_Doc11.PreserveWhitespace = true;
_Doc11.LoadXml(_X509List11[0].OuterXml);
//Canonicalize transformation with
comments
XmlDsigC14NTransform xmlC14T = new
XmlDsigC14NTransform(true);
xmlC14T.LoadInput(_Doc11);
SHA1 sha1 = SHA1.Create();
byte[] hashFromNode =
xmlC14T.GetDigestedOutput(sha1);
string _strDigestFromRefElement =
Convert.ToBase64String(hashFromNode);
byte[] _InSignatatureValHash =
docRef1_temp.DigestValue;
string _strDigestFromRefSig =
Convert.ToBase64String(docRef1_temp.DigestValue);
bCompare =
string.Compare(_strDigestFromRefElement, _strDigestFromRefSig) == 0;
if (!bCompare)
break;
}
}
}
}
catch (Exception Exp)
{
}
return bCompare;
}
Any suggestions pointers to correct the code/resolve the issue.
Below is the Signed XML with newline in Cipher value.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><MyMessage
xmlns="http://www.letsgohome.com/DingDong-20070820#";><MyPublic
Id="ID_MyPublicNode"><MessageId>urn:uuid:1e315f76-44f3-44a2-
af37-2dffb992a6fc</MessageId><MessageType>http://www.letsgohome.com/
DingDong-20070820# </MessageType><AnnotationText>Validate the Hash for
reference nodes</AnnotationText><IssueDate>2007-08-19T06:35:07-00:00</
IssueDate><RequiredExtensions><ContentKeysNotValidBefore>2007-08-19T06:34:19-00:00</
ContentKeysNotValidBefore><ContentKeysNotValidAfter>2007-08-31T06:34:19-00:00</
ContentKeysNotValidAfter><KeyIdList><KeyId>urn:uuid:415de2f2-3b4a-
d344-8255-42cfba43ca12</KeyId></KeyIdList></
RequiredExtensions><NonCriticalExtensions /></MyPublic><MyUserData
Id="ID_MyUserData" xmlns:enc=" http://www.w3.org/2001/04/xmlenc#";><enc:EncryptedKey><enc:EncryptionMethod
Algorithm=" http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; /
<enc:CipherData><enc:CipherValue>rjnjMF+12ErjTs4ov3YK+d9eeiKYt22pG50wsi1XakLQ/vt9GuZ4eRuy/CuyB57hXzvntw5BAmgY
XEx1npJbbb4D2BuBKvyOohRf5ROA6qIuX+jWxEVSI9eVg+/+SXwE4NH6/
QD1+2En9EG8aPR8geG6
+3c3Gy/RYzOqzkuYkyvDWz9FZcVoCR3hgr+t2dTg4Yp1yo4oMGbBbLE81O7wOv/
YCrze6e6HajK5
Gxt4Sz0TzHoGtKmWBMtWVuQqVpMMB4lQdBdLwGgNUv/oPDfilb
+glTgXkypLi64M8zebKsdJgcMP
1fIvO9rYrvIHOVmp/3ntShoV9lWqqeEjCv/yeQ==</enc:CipherValue></
enc:CipherData></enc:EncryptedKey></MyUserData><Signature xmlns="
http://www.w3.org/2000/09/xmldsig#";><SignedInfo><CanonicalizationMethod
Algorithm=" http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments";
/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-
sha1" /><Reference URI="#ID_MyPublicNode"><DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"; /><DigestValue>MlRC/+/
7xJT4imrZHgOJ/4B8m94=</DigestValue></Reference><Reference
URI="#ID_MyUserData"><DigestMethod Algorithm=" http://www.w3.org/2000/09/xmldsig#sha1";
/><DigestValue>rt+8bQ7tmB/9jQTIEfSPFhsf3Ro=</DigestValue></Reference></
SignedInfo><SignatureValue>GGtYL1wVwUgvATZa/
sHI9VXdNkCqduh0Ujl9YAUN0+e34hXVTHVmfJqVoq45sKXm0btdzrh0f5jSox2JBhzgTBDJeMtVDRJAFdifs2yABDvpD1aVz0wawJ80SG9c2aSk3x3qzF
+ysCpzubEuxY2t0GscfMuIJMWzBqEPbcwVW8JznNg1M/
7ac1zvLEOiwLYJFuAYYHR6AkFuhdv3tHhVso+ACkY4E9aavgrNdg4OXU9X
+acoxXnh9kh0dlUXhMiS0/UOyhitZKVpodEvh4tsIBPMsIJdBUp2dkqCiSlY4QNS
+HczarGp8g91jb9KtFaQkG34OglE3O0dw89cgnPaSg==</
SignatureValue><KeyInfo><X509Data><X509IssuerSerial><X509IssuerName>CN="CineCert,
LLC D-Cinema Signer Certificate Sig-0001", OU="CineCert, LLC D-Cinema
RA", O="CineCert, LLC D-Cinema RA", dnQualifier="vnqteTcB2Gji
+1Hl23sxxgOqvwE="</X509IssuerName><X509SerialNumber>16584</
X509SerialNumber></
X509IssuerSerial><X509Certificate>MIIE4jCCA8qgAwIBAgICQMgwDQYJKoZIhvcNAQEFBQAwgawxJTAjBgNVBC4THHZucXRlVGNCMkdqaSsxSGwyM3N4eGdPcXZ3RT0xIjAgBgNVBAoTGUNpbmVDZXJ0LCBMTEMgRC1DaW5lbWEgUkExIjAgBgNVBAsTGUNpbmVDZXJ0LCBMTEMgRC1DaW5lbWEgUkExOzA5BgNVBAMTMkNpbmVDZXJ0LCBMTEMgRC1DaW5lbWEgU2lnbmVyIENlcnRpZmljYXRlIFNpZy0wMDAxMB4XDTA3MDUyMjIzMDkyMFoXDTA4MDUyMTIzMDkyMFowgaQxJTAjBgNVBC4THEtKZ2tJNC9ZUmhsVTBtQTVrVnoyOThzYnZWST0xIjAgBgNVBAoTGUNpbmVDZXJ0LCBMTEMgRC1DaW5lbWEgUkExIjAgBgNVBAsTGUNpbmVDZXJ0LCBMTEMgRC1DaW5lbWEgUkExMzAxBgNVBAMTKlNNLkNpbmVDZXJ0LCBMTEMgRC1DaW5lbWEgRGV2aWNlIERpc25leS1YMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALTxz2L7XHpzwbxQPrvv7VPHvbLcFwJlLUxuDud0MR667g6Fg4G2CusH1VOHH7M05YC/
B67bTR8X83z5ymXYghS96tzpWVzL1YzEOtihIY
+9qgJM4sg2E2XhoGQH4SweIFB2ayMV0HZFpMmvd/
H6DcTc2newhCaLrSoHdjjcA8iJVLCV9g9k4HlmgHQsJqvyza11Ci6KRmR5b/
cPI5Z2ezSOmUASEZd49cu+aN9fFfBe1bMEJ9rtiZ4b/
ItcvT3baHuShV1PapfeliaigHBRbgfF9bNknXSBEiHwonOrqZH8P4BeIKC3AYbZpQmBJk2dH4+ogcDnxMrcZaxmumZ
+Yb0CAwEAAaOCARIwggEOMAsGA1UdDwQEAwIF4DAPBgNVHRMBAf8EBTADAgEAMB0GA1UdDgQWBBQomCQjj9hGGVTSYDmRXPb3yxu9UjCBzgYDVR0jBIHGMIHDgBS
+eq15NwHYaOL7UeXbezHGA6q/
AaGBpqSBozCBoDEiMCAGA1UEChMZQ2luZUNlcnQsIExMQyBELUNpbmVtYSBSQTEiMCAGA1UECxMZQ2luZUNlcnQsIExMQyBELUNpbmVtYSBSQTEvMC0GA1UEAxMmQ2luZUNlcnQsIExMQyBDbGFzcyBYIFJvb3QgQ2VydGlmaWNhdGUxJTAjBgNVBC4THDlCSEV3bmFGb0UrVnMxampUUTZ4VWFZT1UrOD2CAkCVMA0GCSqGSIb3DQEBBQUAA4IBAQAK6CxGkqvB1GIGwV9yLz91X/
IvLXn4eGwo6nFii++
+MpfUSbxzrcqlKvxbDBjsOnrWX6oQBjkam4hkY5JsFyuEC4cH6kvB32vvVhdLlTEhz9bry16AVxzk/
jMvGJhmAGOQZf6xA30bvvwcLixOutIu8/
exsKnS02ACkqKKnCWSihz9tthodUbeIXfZHMaAtk6c1vno/3ih3SysqBd7HWy
+sSpWUAsGc8wZPmARIDleVO/
BdeqgZbZIiIEjXaUjHvmbQ2rnaVFECpGP8kzJvA6UAkFrVUtpq0k06rjDRXhdJLvPWOzOMrN8/
lwEe2rvqgtx/UxsMUvOp0bvIzqdFx2d</X509Certificate></
X509Data><X509Data><X509IssuerSerial><X509IssuerName>dnQualifier="9BHEwnaFoE
+Vs1jjTQ6xUaYOU+8=", CN="CineCert, LLC Class X Root Certificate",
OU="CineCert, LLC D-Cinema RA", O="CineCert, LLC D-Cinema RA"</
X509IssuerName><X509SerialNumber>16533</X509SerialNumber></
X509IssuerSerial><X509Certificate>MIIE6DCCA9CgAwIBAgICQJUwDQYJKoZIhvcNAQEFBQAwgaAxIjAgBgNVBAoTGUNpbmVDZXJ0LCBMTEMgRC1DaW5lbWEgUkExIjAgBgNVBAsTGUNpbmVDZXJ0LCBMTEMgRC1DaW5lbWEgUkExLzAtBgNVBAMTJkNpbmVDZXJ0LCBMTEMgQ2xhc3MgWCBSb290IENlcnRpZmljYXRlMSUwIwYDVQQuExw5QkhFd25hRm9FK1ZzMWpqVFE2eFVhWU9VKzg9MB4XDTA1MTAyNjIzNDMyM1oXDTEwMTAyNTIzNDMyM1owgawxJTAjBgNVBC4THHZucXRlVGNCMkdqaSsxSGwyM3N4eGdPcXZ3RT0xIjAgBgNVBAoTGUNpbmVDZXJ0LCBMTEMgRC1DaW5lbWEgUkExIjAgBgNVBAsTGUNpbmVDZXJ0LCBMTEMgRC1DaW5lbWEgUkExOzA5BgNVBAMTMkNpbmVDZXJ0LCBMTEMgRC1DaW5lbWEgU2lnbmVyIENlcnRpZmljYXRlIFNpZy0wMDAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1JbcA5jD/
ugAd7sq9urKX8cXdSb6JBvEzbp8h63+VsSWOQBmn4DaT2dmdDbsqZZMgEK2JwlPt8aKG3ub
+0iJkvWOmfS9lAg3FYrVNSWfj77CE7ctLkxH+1fkJDs/
1ofwGflmvivSylQdJZjhpm4GOlQMT6Ui7oRSszd63uqVfr6V1S6TarVR7pgu5camh5RdHpXouyja/
5I1fBu55oizwav0Co1TUi6++NAZzYPt5ZXdLJvXfCfqtR/
5f5rWj5I3JXLaXYaoKCKqzVmnRbqivCYa/wyCKSd284pq
+cgAQZh6D4FAtcPJ9n3j1QS502HMlDq0D7UpKx8YBcKy7wnOtQIDAQABo4IBHDCCARgwCwYDVR0PBAQDAgIEMBIGA1UdEwEB/
wQIMAYBAf8CAQgwHQYDVR0OBBYEFL56rXk3Adho4vtR5dt7McYDqr8BMIHVBgNVHSMEgc0wgcqAFPQRxMJ2haBPlbNY400OsVGmDlPvoYGmpIGjMIGgMSIwIAYDVQQKExlDaW5lQ2VydCwgTExDIEQtQ2luZW1hIFJBMSIwIAYDVQQLExlDaW5lQ2VydCwgTExDIEQtQ2luZW1hIFJBMS8wLQYDVQQDEyZDaW5lQ2VydCwgTExDIENsYXNzIFggUm9vdCBDZXJ0aWZpY2F0ZTElMCMGA1UELhMcOUJIRXduYUZvRStWczFqalRRNnhVYVlPVSs4PYIJAOoq1VHdwDlrMA0GCSqGSIb3DQEBBQUAA4IBAQAXBRqLt6igQ6MaCzlE4tQwrR1c5bEpZlZxzbbEe4kIdQkAwxdVmJdgJJ9mHKs21Hfcq0zvXByxacA3maJElDHXXk2zeFQggZauoBS7WJAKw0CVqvivs6mzPqSG6Q3cu1Gd1TOJDcwTjYr8I/
BYvPgm23AI5tL3C8W6rxqYxbN8IWFN1t24uPRt92ooE
+Y3Zk0Z7CYUwKP0guISGbTkgNFDlDrd5ygVvwAqKPX5SvwQseibbiiOE9Z9YzreajvGglWVWr1BMiAjCtprVnXCN1U/
OATchUEQbm2yQ5hKHtW3WnuugKRA+D15Wkw9Dr8gI8nrt5mhGYmEYCIXl80KY/pn</
X509Certificate></
X509Data><X509Data><X509IssuerSerial><X509IssuerName>dnQualifier="9BHEwnaFoE
+Vs1jjTQ6xUaYOU+8=", CN="CineCert, LLC Class X Root Certificate",
OU="CineCert, LLC D-Cinema RA", O="CineCert, LLC D-Cinema RA"</
X509IssuerName><X509SerialNumber>16873533501486414187</
X509SerialNumber></
X509IssuerSerial><X509Certificate>MIIE4zCCA8ugAwIBAgIJAOoq1VHdwDlrMA0GCSqGSIb3DQEBBQUAMIGgMSIwIAYDVQQKExlDaW5lQ2VydCwgTExDIEQtQ2luZW1hIFJBMSIwIAYDVQQLExlDaW5lQ2VydCwgTExDIEQtQ2luZW1hIFJBMS8wLQYDVQQDEyZDaW5lQ2VydCwgTExDIENsYXNzIFggUm9vdCBDZXJ0aWZpY2F0ZTElMCMGA1UELhMcOUJIRXduYUZvRStWczFqalRRNnhVYVlPVSs4PTAeFw0wNTEwMjYyMzQyMDlaFw0yNTEwMjEyMzQyMDlaMIGgMSIwIAYDVQQKExlDaW5lQ2VydCwgTExDIEQtQ2luZW1hIFJBMSIwIAYDVQQLExlDaW5lQ2VydCwgTExDIEQtQ2luZW1hIFJBMS8wLQYDVQQDEyZDaW5lQ2VydCwgTExDIENsYXNzIFggUm9vdCBDZXJ0aWZpY2F0ZTElMCMGA1UELhMcOUJIRXduYUZvRStWczFqalRRNnhVYVlPVSs4PTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJsRO/
R7XcF4blKmAE0HYUzNUD6QGy96cquYbQivVcMz5osfWPEeA4+yxiB9nYGQ1WeCg0X6TWWUpqDu7amxpfk2ZnihwwOdeOUYhOxTu5Bo7cEfbc6OlusHsLIRHMdvnlfNCUGvY8DKW
+5O3Qh0QnPLxxfe5y2RUQoIif+TUGyF24gAOv
+kT4UC4wFJVwxZB036llbUCJl4XrsWr32QUqJMKsjnTEoXoLyxqQMLz6xc/
WqUt0Lljm5cbqiRhly0FLDyz8nqaKhSe6zpehsnZW/Wn1rUHhjh5o
+S2ERm9EDMY7Ccoz9GULZoAGWX63HpEh0H9aPgsaYKQfzzRNZteOcCAwEAAaOCARwwggEYMB0GA1UdDgQWBBT0EcTCdoWgT5WzWONNDrFRpg5T7zCB1QYDVR0jBIHNMIHKgBT0EcTCdoWgT5WzWONNDrFRpg5T76GBpqSBozCBoDEiMCAGA1UEChMZQ2luZUNlcnQsIExMQyBELUNpbmVtYSBSQTEiMCAGA1UECxMZQ2luZUNlcnQsIExMQyBELUNpbmVtYSBSQTEvMC0GA1UEAxMmQ2luZUNlcnQsIExMQyBDbGFzcyBYIFJvb3QgQ2VydGlmaWNhdGUxJTAjBgNVBC4THDlCSEV3bmFGb0UrVnMxampUUTZ4VWFZT1UrOD2CCQDqKtVR3cA5azASBgNVHRMBAf8ECDAGAQH/
AgEKMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQUFAAOCAQEAb0DPnC9x5oxQzfl4DcrYOfmKFrSA5rOO1pf8rCcPYpKmGms3wsD0yWIKzP4bBAdmOntMrS2RD3/
bR0uzl4t4F56f/
WBI6hR53dcBNpLhM2KoiDoa2CaF0+0SsmK2ApO2leXtCfNmsYuT6XojtdywPWr6wL4ZYjVGS6hur4DONzTKqSaqSD3geNTXH5VXlEqBogtIZTRZ0WFmqerLN1xx
+aNqrp0cYTqpGu3EmBBJethbNRXw/RJVtQ7fVAZqURiS6sAkFmL9ia83W6s1tsE/PUTDW/
1s839tULScSydUIGs7BwPGzQX5GvTG/i8eTf67s9zad7ak6F/sprvjRSdIcg==</
X509Certificate></X509Data></KeyInfo></Signature></MyMessage>
.
- Follow-Ups:
- Prev by Date: SignedXML ComputeSignature - How to InsertLineBreaks in X509Certificate base64 encoded string
- Next by Date: Re: Can´t open a webside. Pusseled a ...
- Previous by thread: SignedXML ComputeSignature - How to InsertLineBreaks in X509Certificate base64 encoded string
- Next by thread: Re: Manually computing sha1 digest of reference containing base64 encoded string and comparing it to digest value of same reference generated by SignedXML.ComputeSignature - Does not match
- Index(es):
