Replacing System.Security.Cryptography.Xml.SignedXml with Azure Keyvault Sign API

Question

We have a service that signs an XML document using System.Security.Cryptography.Xml.SignedXml and a X509Certificate2. We use the following signature method Signature.SignedInfo.SignatureMethod = SignedXml.XmlDsigRSASHA256U.

We wan't to change the signing method to use Azure Keyvault Sign API.

We have no control over the receiving end, so the signature has to be identical to what we are currently generating using the SignedXml.

We tried overwritting the SignHash of RSA and calling the Azure Sign API with the hash. But the remote server is not accepting the signature. Is it possible to achieve the same result as XmlDsigRSASHA256U with the Azure Sign API ?

The following code is used to call the API

    `public static async Task<byte[]> SignHashAsync(byte[] hash)`

{

var accessToken = await GetAccessToken();

var httpClient = new HttpClient();

var uri = new Uri($"https://{ConfigurationAzure.KeyId}.vault.azure.net/keys/{ConfigurationAzure.KeyName}/{ConfigurationAzure.KeyVersion}/sign?api-version=7.0");

var requestContent = new StringContent($"{{\"alg\":\"RS256\",\"value\":\"{Convert.ToBase64String(hash)}\"}}", Encoding.UTF8, "application/json");

httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

var response = await httpClient.PostAsync(uri, requestContent);

response.EnsureSuccessStatusCode();

string rep = await response.Content.ReadAsStringAsync();

string signature = rep.Split('"')[7];

return Encoding.UTF8.GetBytes(signature);

}

public override byte[] SignHash(byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)

{

return SignHashAsync(hash).ConfigureAwait(false).GetAwaiter().GetResult();

}

In the following file, the getSignedMessageOAAzure function is our Azure Key Vault version, while getSignedMessageOA is the working signedXML version.

signature_code.txt