Does SignedXml.CheckSignatureReturningKey support XML that contains  characters

Question

Does SignedXml.CheckSignatureReturningKey support XML that contains  characters

Michael Smuin 0

We are attempting to validate XML signed in an external system. There are characters in the XML which are automatically getting set to carriage returns. Because they are automatically converted, the DigestValue in the XML and that which is computed do not match. Has anybody had problems validating XML in this situation? If so, what solution were you able to find?

Anonymous

2023-07-24T06:20:18.3233333+00:00

Welcome to Microsoft Q&A,

Is the signature file you use a pure xml file?

Do you need to use it in a c# project? You originally tagged asp.net core. Relevant people told me that SignedXml.CheckSignatureReturningKey is not applicable in asp.net core.

I have an unofficial example here just for reference: https://stackoverflow.com/q/1026432/16764901
Michael Smuin 0 Reputation points

2023-08-01T19:36:17.12+00:00

Perhaps this isn't the best place exactly to ask this question. It looks like this is tagged for .NET.

2 answers

Your answer

Anonymous

2023-07-24T06:20:18.3233333+00:00

Welcome to Microsoft Q&A,

Is the signature file you use a pure xml file?

Do you need to use it in a c# project? You originally tagged asp.net core. Relevant people told me that SignedXml.CheckSignatureReturningKey is not applicable in asp.net core.

I have an unofficial example here just for reference: https://stackoverflow.com/q/1026432/16764901
Michael Smuin 0 Reputation points

2023-08-01T19:36:17.12+00:00

Perhaps this isn't the best place exactly to ask this question. It looks like this is tagged for .NET.

Answer 1

My experience with Signed XML is based on .Net Framework.
Since PreserveWhiteSpace was already considered, and assuming you are checking Signature against proper XML Node (here I mean OuterXML), check on XML what SignatureMethod Algorithm method was used.

Starting .Net Framework 4.7.1 Default Algorithm has changed from SHA1 to SHA256, because SHA1 is no longer considered secure. I´m assuming same applies to .Net Core due to security concerns.
Check this link https://github.com/microsoft/dotnet/blob/main/Documentation/compatibility/Change-SignedXML-and-SignedCMS-default-algorithms-to-SHA256.md

In past with .Net Framework 4.6, when SHA1 was default, I face with some XML Signed using SHA256, at that time had to add support for SHA256 (I think is not your case).

Some days ago with .Net Framework 4.8, I faced the opposite, XML Signed using SHA1, in this case Recommended Action on link above solved my issue

Answer 2

Jose Zero 576

Perhaps you missing XMLDocument.PreserveWhiteSpace property when load xml. Such white space can make your Signature check invalid.
https://learn.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.preservewhitespace?view=net-7.0

Jose Zero 576 Reputation points

2023-08-02T00:11:18.21+00:00

Also take a look here https://weblog.west-wind.com/posts/2008/Mar/03/Watch-out-for-XmlDocumentPreserveWhitespace-when-dealing-with-Digital-Signatures
Michael Smuin 0 Reputation points

2023-08-02T00:16:45.4433333+00:00

I see I did not include those details in this post. Preserving Whitespace does nothing in this situation. We already process the XML with those settings. The problem is those special characters in the XML body where the signature is computed. When the XML is read in the is automatically converted to \r\n. The bytes are technically different so the computed signature is different. We had to preserver white space already as there is significant whitespace throughout this XML document.
Michael Smuin 0 Reputation points

2023-08-02T00:18:58.38+00:00

We've tried all sorts of means of processing the XML. Trying to change the InnerText after it is parsed so that the XML that is signed and the XML that is being verified is exactly the same, but it doesn't work.

For more context, the XML signature is computed in javax which does handle these characters differently. Signature verification of the XML does work correctly in javax.

Share via

Does SignedXml.CheckSignatureReturningKey support XML that contains &#13; characters

2 answers

Your answer

Does SignedXml.CheckSignatureReturningKey support XML that contains characters