Share via

Replacing System.Security.Cryptography.Xml.SignedXml with Azure Keyvault Sign API

Sylvain Bouchard 0 Reputation points
2024-07-18T14:38:33.33+00:00

We have a service that signs an XML document using System.Security.Cryptography.Xml.SignedXml and a X509Certificate2. We use the following signature method Signature.SignedInfo.SignatureMethod = SignedXml.XmlDsigRSASHA256U.

We wan't to change the signing method to use Azure Keyvault Sign API.

We have no control over the receiving end, so the signature has to be identical to what we are currently generating using the SignedXml.

We tried overwritting the SignHash of RSA and calling the Azure Sign API with the hash. But the remote server is not accepting the signature. Is it possible to achieve the same result as XmlDsigRSASHA256U with the Azure Sign API ?

The following code is used to call the API

    `public static async Task<byte[]> SignHashAsync(byte[] hash)`

{

var accessToken = await GetAccessToken();

var httpClient = new HttpClient();

var uri = new Uri($"https://{ConfigurationAzure.KeyId}.vault.azure.net/keys/{ConfigurationAzure.KeyName}/{ConfigurationAzure.KeyVersion}/sign?api-version=7.0");

var requestContent = new StringContent($"{{\"alg\":\"RS256\",\"value\":\"{Convert.ToBase64String(hash)}\"}}", Encoding.UTF8, "application/json");

httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

var response = await httpClient.PostAsync(uri, requestContent);

response.EnsureSuccessStatusCode();

string rep = await response.Content.ReadAsStringAsync();

string signature = rep.Split('"')[7];

return Encoding.UTF8.GetBytes(signature);

}

public override byte[] SignHash(byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)

{

return SignHashAsync(hash).ConfigureAwait(false).GetAwaiter().GetResult();

}

In the following file, the getSignedMessageOAAzure function is our Azure Key Vault version, while getSignedMessageOA is the working signedXML version.

signature_code.txt

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gudivada Adi Navya Sri 21,080 Reputation points Moderator
    2024-07-22T12:09:43.5433333+00:00

    Hi @Sylvain Bouchard

    I understand that you are trying to use the Azure Key Vault Sign API to sign an XML document, but the remote server is not accepting the signature. The customer has tried overwriting the Sign Hash of RSA and calling the Azure Sign API with the hash, but this has not worked.

    The XmlDsigRSASHA256U algorithm uses the RSA-SHA256 algorithm and the SHA256 hashing algorithm. The JsonWebKeySignatureAlgorithm supports below algorithms,

    User's image

    For your reference: https://learn.microsoft.com/en-us/rest/api/keyvault/keys/sign/sign?view=rest-keyvault-keys-7.4&tabs=HTTP

    Hope this helps. Do let us know if you any further queries. If my understanding of the issue is incorrect, feel free to post back.

    Thanks,

    Navya.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.