2

I have posted about this already but no luck since then I have more information I thought I would try again I really hope someone can help. Basically I am reading an XML file and verifying the fact that it has been signed. This code works perfectly when run as an adminitrator but not as network service, the final line resolves to 'true' but when not run as admin doesnt.

NOTE: this is not a problem with reading the XML file this opens fine. The problem is with one of the objects in memory. I 'think' the problem is to do with access control lists on the CryptoKeyRights object.

I have used the following (in the below code) to try and grant everyone access to the CspParams object:

CryptoKeyRights rightsForall = CryptoKeyRights.FullControl;

CryptoKeyAccessRule everyone = new CryptoKeyAccessRule(@"Everyone", CryptoKeyRights.FullControl, AccessControlType.Allow);

cspParams.CryptoKeySecurity = new CryptoKeySecurity();

cspParams.CryptoKeySecurity.AddAccessRule(everyone);

The above code

The code is:

// Verify the signature of an XML file against an asymmetric 
// algorithm and return the result.XmlDocument Doc, RSA Key
public static Boolean VerifyLicenceFile(string xmlLicFilePathArg)
{
    bool isVerified = false;

    try
    {

        CspParameters cspParams = new CspParameters();

        cspParams.KeyContainerName = containerName;

        RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider(cspParams);

        // Create a new XML document.
        XmlDocument xmlDoc = new XmlDocument();

        // Load an XML file into the XmlDocument object.
        xmlDoc.PreserveWhitespace = true;
        xmlDoc.Load(xmlLicFilePathArg);


        // Check arguments.
        if (xmlDoc == null)
            throw new ArgumentException("Doc");
        if (rsaKey == null)
            throw new ArgumentException("Key");

        // Create a new SignedXml object and pass it
        // the XML document class.
        SignedXml signedXml = new SignedXml(xmlDoc);

        // Find the "Signature" node and create a new
        // XmlNodeList object.
        XmlNodeList nodeList = xmlDoc.GetElementsByTagName("Signature");

        // Throw an exception if no signature was found.
        if (nodeList.Count <= 0)
        {
            throw new CryptographicException("Verification failed: No Signature was found in the document.");
        }

        // This example only supports one signature for
        // the entire XML document.  Throw an exception 
        // if more than one signature was found.
        if (nodeList.Count >= 2)
        {
            throw new CryptographicException("Verification failed: More that one signature was found for the document.");
        }

        // Load the first <signature> node.  
        signedXml.LoadXml((XmlElement)nodeList[0]);

        // Check the signature and return the result.
        isVerified = signedXml.CheckSignature(rsaKey);
    }
    catch (Exception ex)
    { 
    }

    return isVerified;

}
Exitos
  • 29,230
  • 38
  • 123
  • 178

3 Answers3

0

This is a problem with the Mandatory Profiles and Temporary profiles.

These profiles are not full users, and do not have their own key stores. You need to use an ephemeral key, or avoid triggering keystore access.

See http://blogs.msdn.com/b/alejacma/archive/2007/10/23/rsacryptoserviceprovider-fails-when-used-with-mandatory-profiles.aspx for details.

You can try setting RSACryptoServiceProvider.UseMachineKeyStore = true. This might avoid using the user profile's keystore.

If you are using .net 4.0 you can use the new CspParameters.flags CreateEphemeralKey to indicate that the key is independent of the keystore. i.e. it is an in-memory key, not read or saved to the keychain.

xt1
  • 408
  • 3
  • 11
0

This sounds more like permissions on the root CA, or the signing cert. So what I'd check is where the certificates in the chain are in the certificate store - if they're in the User store (which would explain it working under Administrator) or the machine store (where they should work for everyone)

blowdart
  • 55,577
  • 12
  • 114
  • 149
0

The anser for this was not to use the machine to store the keys in...export them and load them independantly...

Is it possible to sign an xml document without having to use KeyContainerName?

Community
  • 1
  • 1
Exitos
  • 29,230
  • 38
  • 123
  • 178